PaylobbyGuidesFraud management › What Does PCI Mean for Your Payment Processes?


The Payment Card Industry Data Security Standard (in short: PCI DSS) addresses security standards that protect customers from fraud and credit card theft. What do these standards mean for your payment processes?

Card Industry Security Standards Council (PCI SSC)

The standards for the PCI DSS were developed and published by a council which includes all leading credit card businesses such as MasterCard, Visa, American Express and JCB. These standards apply to all participating partners in the payment process. Further information is available on the PCI Wiki.

Relevant PCI Certification information for businesses

The PCI standards according to credit card organizations must be observed by all businesses who accept, process, save and forward the credit card information of customers. Credit card information is independent of processing time, and includes information such as the card number and date of expiration.

PCI in cooperation with payment service providers (PSPs)

Businesses who do not save, process or forward credit card data do not have to comply with PCI DSS, but do need to partner with service providers who are compliant with the standards. Businesses who process credit card data must prove their compliance with the standards to acquirers.

Costs of a PCI Certification

The cost of a PCI certification is dependent on the classification level of the retailer or the PSP and the amount of IP addresses. For example, when the classification level of a business is high, the number of yearly security scans will increase. Certain providers may offer scans with an IP address for a certain amount, such as 220 euros. The biggest expense is the treatment and monitoring of all incoming credit card data through a technical implementation to fulfill the PCI requirements.

What occurs during a PCI security scan?

During a PCI security scan, all internet accessible systems of the retailer or their PSP are examined for weaknesses. These systems typically include routers, firewalls, web servers, mail servers, application servers, load balancers and databank servers.

PCI compliance process

Retailers are required to regularly prove that they are compliant with PCI standards. Depending on their level of compliance, retailers must fulfill certain standards and prove their conformity yearly.

What are the compliance levels and standards?

Retailers are assigned different categories by credit card businesses. This depends on the amount of credit card transactions that occur yearly. In total, there are four different levels. Level one is the highest and requires a business have a minimum of 6 million credit card transactions per year, have already suffered an attack, experienced problems with credit card data having been compromised or already be listed as level one by another credit card company. The retailer classified as level one must be examined four times a year through external security scans and one year through an on-site audit.

The following graphic gives an overview into the four levels:

PCI Compliance Levels for Businesses (Source:

PCI compliance process audits

Retailers register themselves at a certification company, such as the TÜV. (the Technische Überwachungsverein), a technical inspection association. These associations assess the classifications of a business and make sure they comply with PCI requirements. With help from different questionnaires and self-assessments, the examination can be completed through the certifying agency.

Security scans in the PCI process

Depending on the qualifications of the business, security scans are done externally to check for and assess any weaknesses in the process. If all scans are successful and requirements are fulfilled, then the business receives the PCI certificate. If any weaknesses are identified, the retailer must fix them and then undergo the security process once more.

Requirements of the PCI DSS

There are 12 PCI DSS requirements:

  1. Installation and upkeep of a firewall configuration to protect credit card owners.
  2. Default settings from providers should not be used for system passwords and security parameters.
  3. Protection for saved credit card data.
  4. Data encryption when cardholder information is transferred on open or public networks.
  5. Use and regular updates of antivirus software.
  6. Develop and maintain a secure system and use.
  7. Restrict access of credit card holder data dependent on business requirements.
  8. A unique identity is assigned to everyone who accesses the site.
  9. Restrict physical access to cardholder data.
  10. Tracking and surveillance of all access to network and cardholder data.
  11. Regular testing of the security system and processes.
  12. Adherence to all information security requirements.

Current version of PCI DSS 3.2.

The PCI Security Standards Council (PCI SSC) regularly updates standards for data security in online payment traffic to new versions. The current version is the Payment Application Data Security Standard Version 3.2 (PA-DSS Version 3.2). The older version 3.1 expired on the 31st of October, 2016. Find out more information here.


  • I accept the terms and condition and privacy policy

Fraud in mobile payment

The mobile channel is the newest victim of fraudster. Learn more about the fraud in mobile payment.


Warning: SessionHandler::write(): write failed: No space left on device (28) in /var/www/004-pay-lobby/vendor/symfony/symfony/src/Symfony/Component/HttpFoundation/Session/Storage/Proxy/SessionHandlerProxy.php on line 77