PCI DSS Certification

Information for PAYONE GmbH customers on the change in PCI DSS requirements from version 3.2.1 to version 4.0 at a glance

On 31.03.2022, the PCI Security Standards Council (PCI SSC) published version 4.0 of the PCI DSS (Payment Card Industry Data Security Standard). For companies subject to PCI DSS verification requirements from 31.03.2024 pCI DSS version 4.0 will completely replace the previous version 3.2.1.

This means, for example, that a PCI certificate of conformity according to version 3.2.1 recognized on 30.03.2024 is valid for one year and then the renewal of the certificate must be available in version 4.0 by 30.03.2025.

The PCI DSS companies requiring proof are currently defined by PAYONE as follows:

All e-commerce merchants
All contracts with companies in PCI Level 1 and 2 (Level 1 and 2 merchants are defined as having more than 1 million transaction submissions p.a. with VISA or Mastercard).

What will change in general with version 4.0?

Additional guidelines and definitions, clarifications, changes to the structure and format of the PCI documents to be completed
Contains guidelines on the scope of application, implications of encrypted data, sampling, definition of the time frame, third-party service providers
Inclusion of new requirements
Removed or summarized requirements

FAQ
all about PCI DSS

What is PCI DSS?
PCI DSS is the abbreviation for "Payment Card Industry Data Security Standard" and is based on the security programs of the card organizations Visa, MasterCard SDP, Union Pay International and Diners/Discover.
These are security measures that are prescribed by the credit card companies to protect data security and must be checked at regular intervals. Merchants are divided into four PCI categories depending on the number of transactions transmitted per year. For PAYONE as an acquirer and payment service provider, the strictest requirements of level 1 apply.
What does this mean for you as a merchant?
In principle, every merchant who processes or stores credit card payments via their systems is subject to the certification obligation. If credit card transactions are processed without certification, i.e. without complying with the security requirements, there is a risk of high fines from the card organizations or even termination of the credit card acceptance contract. For you as a merchant, processing and storing your own credit card data not only represents a significant risk, but also a loss of customer reputation.
Am I obliged to comply with PCI DSS?
Yes, if you offer credit card payments, you undertake to comply with the PCI DSS security standard.
According to the regulations of the credit card organizations, the PCI DSS standard must be complied with by all companies that technically process or store credit card data. The integration of certified products from a payment service provider, such as PAYONE, means that a PCI DSS proof of compliance can be created quickly and easily. If necessary, PAYONE will ask its customers to submit proof of compliance on the PCI platform.
Is certification necessary?
Yes, certification is required You are always obliged to be able to provide proof of compliance with the current PCI DSS standard to the credit card organizations. Information on the certification process and compliance validation can be found here.
How do I get my access to PAYONE PCI DSS?
PAYONE sends a link and a password to those merchants who have to prove PCI compliance on the PCI platform. The merchant contact person for PCI can now log on to the PCI platform and is guided systematically through the next steps.
To make it as easy as possible for our merchants to select and process the right PCI questionnaire, we offer access to our PCI DSS platform. With the help of specific questions on the acceptance and processing of credit card data, the appropriate PCI questionnaire (-SAQ) type for your company is determined. It also determines whether quarterly external vulnerability scans are required to provide proof of compliance.
The self-assessment questionnaire is then provided with explanatory and help texts directly online for completion and temporary storage. You can also upload the results of external vulnerability scans to our PCI DSS platform or order them directly from our PCI cooperation partner, usd AG, at preferential conditions.
To the PCI DSS portals
What are the advantages of PCI DSS certification via PAYONE?
Simplified PCI DSS compliance when using the PAYONE platform via the Client API
Support by phone and e-mail from the experts at the PAYONE PCI DSS Competence Center
Support for categorizing and answering the questions on the PCI DSS platform
Maximum security standards for customer data at PAYONE
Risk-free option for accepting credit card payments
Secure processing of credit card payments
For online merchants: Our client API
Using the Client API is a smart solution for you as a merchant that makes it extremely easy for you to prove PCI DSS compliance. The Client API enables payments to be processed without the buyer being redirected away from your online offering. Using the "Hosted Multi iFrame Solution" from PAYONE, you can integrate PCI DSS-relevant input fields for card data as individual iFrames in your individual payment form. This gives you the greatest possible flexibility while maintaining PCI DSS compliance.
Why is your data safe with PAYONE?
To ensure reliable data security, PAYONE operates multiple server and database systems in real-time parallel operation as a maximum availability solution. Data transmission, storage and further processing of sensitive payment data is exclusively encrypted using TLS (Transport Layer Security) technology. This ensures that no third parties come into contact with the sensitive payment data at any stage of the process.
This maximum level of security at PAYONE is verified by external certification in accordance with Level 1 of the PCI DSS. In an on-site audit lasting several days, all security-relevant areas are checked in detail and compared with the strict requirements of the PCI standard. This primarily includes the up-to-dateness and permanent security of the IT infrastructure as well as the encryption and defense technologies used. All internal processes and guidelines are also carefully checked and logged against the background of the security of sensitive credit card data. The audit even goes beyond simply checking existing systems: every quarter, real attacks on the system are used to search for security vulnerabilities. In so-called penetration tests, external attacks are used to test whether it is possible to compromise the system. In this way, security vulnerabilities can be identified and rectified in good time, thus blocking the path to criminal actions in advance.

The PCI DSS
PAYONE PORTALS

Stationary (Terminals)

Here you can access the
PCI DSS Portal
of the former

B+S Card Service

To the login

Stationary (Terminals)

Here you can access the
PCI DSS portal
of the former

Ingenico Payment Services

To the login

Online

Here you can access the
PCI DSS portal
for PAYONE

E-commerce merchants

To the login

Recommendation to company/dealer/customer

PCI DSS Security for credit card data

FAQ
all about PCI DSS

The PCI DSS
PAYONE PORTALS

Stationary (Terminals)

Stationary (Terminals)

Online

Download PCI DSS
PCI DSS Certificate

PAYONE PCI-DSS DE Certificate 2024

PAYONE PCI-DSS EN Certificate 2024

PCI DSS Security for credit card data

FAQ all about PCI DSS

The PCI DSS PAYONE PORTALS

Stationary (Terminals)

Stationary (Terminals)

Online

Download PCI DSS PCI DSS Certificate

PAYONE PCI-DSS DE Certificate 2024

PAYONE PCI-DSS EN Certificate 2024

FAQ
all about PCI DSS

The PCI DSS
PAYONE PORTALS

Download PCI DSS
PCI DSS Certificate