PCI DSS Certification

In 2006, the major credit card companies established the Payment Card Industry Security Standards Council (PCI SSC). Its purpose is to develop and manage safety standards for companies that process card data. 

The Council establishes unified data-safety rules for card payments. These rules are called PCI DSS (Payment Card Industry Data Security Standards). They ensure the safety of online payments for consumers and banking providers. Before PCI DSS, card companies had their own safety standards programmes, with fairly similar requirements and goals.

What is PCI DSS?

PCI DSS is the international safety standards that any institution that captures, stores, processes or transfers cardholder data must comply with. PCI DSS establishes the basic safety standards for consumers, helping reduce fraud and card data leaks. It applies to all companies and organizations that accept or process payment card data. Compliance with PCI DSS is based on:

  • Collecting and transferring private data from consumers’ cards safely.
  • Storing data safely.
  • Checking required safety inspections yearly. This involves forms, questionnaires, external services to scan for threats and third-party audits.

Who must comply?

Your business is NOT required to be PCI DSS certified if your ecommerce platform:

  • Collects, sends or stores customers’ card data that is tokenized. As you don’t have direct contact with the card data, the standards do not affect you.
  • Stores and sends tokens received by Addon Payments.

Your business IS required to be PCI DSS certified if your ecommerce platform:

  • Collects, sends or stores customers’ card data that is not tokenized. Although card data only passes through your server momentarily, you have to buy, install and maintain security software and hardware, and submit to third-party audits.

Note: When we talk about tokenized/untokenized data, we mean credit card tokens. These are numbers and letters generated by an algorithm to make sure private card data remains confidential. 

Requests that require the merchant to have PCI DSS certification

The following examples show the types of requests that require certification and those that don’t. Look at the fields from “cardNumber” and “cardNumberToken”.

 [merchantId] => 12345
 [merchantTransactionId] => 13035363
 [amount] => 1.00
 [currency] => EUR
 [country] => ES
 [customerId] => 1
 [paymentSolution] => creditcards
 [chName] => First name Surname
 [cardNumber] => 4907270002222227
 [expDate] => 1234
 [cvnNumber] => 123
[merchantId] => 12345
[merchantTransactionId] => 13035363
[amount] => 1.00
[currency] => EUR
[country] => ES
[customerId] => 1
[paymentSolution] => creditcards
[cardNumberToken] => 6778376835132227

As you can see in the examples, the requests that DO require PCI DSS certification include card data (number, expiry date and CVN) that isn’t tokenized, meaning it is visible. However, requests that do NOT require certification contain tokenized data. 

What to do if your business requires PCI DSS certification?

If your ecommerce platform collects, transfers or stores data from consumers’ cards in a normal format (untokenized), we recommend you contact a third-party company that specializes in PCI DSS certification. These companies will explain and guide you through the process of becoming compliant and getting certified.

visto recientemente

Comparte este documento
Tabla de Contenidos

Consulta la documentación de las distintas secciones de integraciones:

Comienza a integrar

undraw_add_to_cart_re_wrdo 1 (1) (1)

Plugins para CMS

Complementa la integración

SDKs

Métodos de pago

Herramientas

Addon Payments

Consulta la documentación de Addon Payments. Aquí tienes las distintas secciones:

Integraciones

Consultas frecuentes

Portal Backoffice

Cyberpac

We are currently working on the English version of the Cyberpac documentation. You can view the Spanish version using the buttons below:

Canales BackOffice Portal

Plugins integration

Custom integrations

POS integrated Payments

Create a solution that will help you automate processes. You can even add payment processes on physical terminals.

Payment Integrated with Android POS

Payment Integrated with Smartphone POS

POS Data sheets

Addon Payments

Comercia Global Payments has several integration options so you can choose the most efficient one for you.

Integrations

Frequently Asked Questions

BackOffice Portal

Consult the documentation of the different integrations sections:​

Start integration

undraw_add_to_cart_re_wrdo 1 (1) (1)

CMS Plugins

Complement your integration

SDKs

Payment Methods

Tools