What is PCI - DSS?
Payment Card Industry Data Security Standard (PCI - DSS) sets out the requirements for merchants to securely and
properly handle card payments. This is critical for protecting privacy, preventing fraud, and data breaches, and is
designed to provide protection for sensitive information throughout the card payment lifecycle, from card acceptance
to payment processing.
PCI compliance is managed by the PCI Security Council and the five major card associations (VISA, Mastercard,
Discover, American). Express and JCB) to help ensure consistent cardholder protections across the globe.
For information on the PCI - DSS standard, you can visit:
pcisecuritystandards.org
PCI - DSS Compliance Obligation Tier
To get started with the PCI you have to comply with – Before you can reach the DSS compliance tier, you need to
determine your compliance "tier" based on the following. Please note that the data below is based on data from the
last 52 weeks.
|
PCI - DSS rating
|
Description
|
| Level 1 |
-
Merchants who process more than 6 million VISA or Mastercard transactions per year.
-
A Tier 1 merchant that has been designated as a Tier 1 by any card network (Visa, Mastercard,
etc.).
|
|
Level 2
|
Merchants who process between 1 million and 6 million VISA or Mastercard transactions per year
|
| Level 3 |
Merchants who process between 20,000 and 1 million VISA or Mastercard e-commerce transactions per
year
|
| Level 4 |
Merchants that process fewer than 20,000 VISA or Mastercard e-commerce transactions per year and other
merchants that process up to 1 million VISA or Mastercard transactions per year
|
Source:
Visa PCI DSS Compliance
Who needs to comply with PCI - DSS?
Any merchant that accepts card payments (credit or debit) and/or transmits cardholder information must comply with
PCI standards and comply with the necessary requirements. The requirements to comply with depend on a variety of
factors, including the nature of the organization and the number and size of transactions.
GlobuyDirect customers with online payment products need to ensure that they meet the relevant PCI - DSS compliance
requirements, you can refer to the following guidelines.
| PCI - DSS compliance level |
Level 2 |
Level 3 |
Level 4
|
| Get Paid/Pay By Link |
No PCI-DSS requirements |
| API integration only |
Submit PCI - DSS AOC and renew it annually |
| Plug-in field integration |
Submit the PCI - DSS SAQ A-EP questionnaire and update it according to the specific policy
|
|
Embedded field integration (or any of our shopping platform plugins)
|
|
Hosted payment page integrations
|
Submit a PCI - DSS SAQ A questionnaire and update it according to the specific policy
|
| WooCommerce and Magento |
Submit the PCI - DSS SAQ A-EP questionnaire and update it according to the specific policy
|
Note: If you are a Level 1 merchant and use online payments other than Get Paid/Pay by Link, you will need the
following:
-
Compliance report prepared by a qualified safety assessor or internal auditor (if signed by a company
executive)
- Submit a Certificate of Compliance (AOC) form
- Quarterly scans conducted by an Approved Scanning Vendor (ASV).
I need to be PCI - DSS compliant, how do I do that?
If you determine that you need to be PCI-DSS compliant, GlobuyDirect can guide you through the process. If you have
completed PSS within the last 12 months - DCI form, which can be provided to GlobuyDirect.
The above list will give you an idea of which forms you need to fill out, and you can download the documents below.
You will need to send the completed form to your GlobuyDirect account manager
If you do not provide relevant information or do not meet the relevant PCI-DSS compliance requirements, GlobuyDirect
may choose not to provide/suspend your payment services.
What happens if I am PCI - DSS non-compliant?
The card network can determine "non-compliance" and may be subject to significant fines. If you fail to correct your
PCI within each quarter - DSS non-compliance status, fines may be doubled. For customers in EU countries, PCI - A
DSS violation is also a GDPR violation because cardholder information is personal data.
