July 07, 2021


PCI DSS stands for "Payment Card Industry Data Security Standard", and lays out the requirements that need to be met to transmit, store, handle or accept credit/debit card data.

The term PCI DSS defines a number of requirements that need to be met in order to transmit, store, handle and accept credit card data. Depending on the scope, their are different levels of PCI DSS with different requirements. PCI DSS compliance is established through a certification process carried out by an independent auditor or via a self-assessment questionnaire (SAQ), depending on the scope. Merchants who do not store credit card details themselves, but instead use a third party vault, typically only require a SAQ.

All organizations, regardless of size and transaction volume that accept, transmit or store credit, debit or prepaid card data from the major card networks (American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc) must comply with the PCI DSS requirements.

PCI DSS compliance is required by any business that transmits, stores, processes or accepts credit card data. There are various levels of compliance requirements, that depend on what data is stored and the transaction volume.

PCI DSS was introduced in 2004. As payment fraud increased, credit card industry leaders decided to develop common security standards. The founding members of PCI - American Express, Discover Financial Services, JCB International, Mastercard and Visa - developed PCI DSS, which became mandatory from 15 December 2004.

PCI compliance has been mandatory for business that transmit, store, or handle credit card data since 15 December 2004.

If certified at the appropriate level and required for business purposes, the cardholder's name, PAN, expiration date and service code can be stored. Outsourcing the storage of sensitive payment data to a third party vault allows merchants to reduce their PCI DSS scope and thus qualify for a lower level of certification. Lower levels have less stringent requirements, and merchants who do not store any sensitive payment data themselves may be able to complete a self-assessment questionnaire. Businesses like IXOPAY who store credit card details need to undergo regular recertification and audits by an independent party.

Further Information: