PCI DSS - information for merchants
PCI DSS (Payment Card Industry Data Security Standard) is a security standard applicable to all entities that process, store or transmit payment card data.
What is PCI DSS
PCI DSS is a set of security requirements developed by the PCI Security Standards Council (PCI SSC) - an organization founded by Visa, Mastercard, American Express, Discover and JCB. The standard defines minimum technical and operational requirements for protecting cardholder data.
The current version of the standard is PCI DSS v4.0.
PCI DSS compliance levels
The compliance level depends on the annual number of card transactions processed by the merchant:
| Level | Annual transaction volume | Requirements |
|---|---|---|
| Level 1 | Over 6 million | Annual audit by a QSA (Qualified Security Assessor), quarterly ASV scan |
| Level 2 | 1-6 million | Annual SAQ, quarterly ASV scan |
| Level 3 | 20,000 - 1 million (e-commerce) | Annual SAQ, quarterly ASV scan |
| Level 4 | Below 20,000 (e-commerce) or below 1 million (other channels) | Annual SAQ, quarterly ASV scan (recommended) |
Requirements for merchants
PCI DSS compliance is required when your infrastructure in any way processes, stores or transmits payment card data. This includes:
- Card number (PAN)
- CVV/CVC code
- Expiration date
- Cardholder name
If you use only the standard dpay integration (redirect to the payment page), card data does not reach your infrastructure and you do not need PCI DSS certification.
SAQ - Self-Assessment Questionnaire
SAQ is a self-assessment questionnaire that the merchant fills out to confirm PCI DSS compliance. The questionnaire type depends on the integration model:
| SAQ type | Applies to | Description |
|---|---|---|
| SAQ A | Merchant redirecting to the payment page | Simplest questionnaire - card data does not reach the merchant's infrastructure |
| SAQ A-EP | Merchant with a form on their site, but data sent directly to the PSP | The merchant's site affects transaction security, although data does not pass through their server |
| SAQ D | Merchant processing card data on their server | Most comprehensive questionnaire - full PCI DSS compliance |
When PCI DSS applies to you
Standard integration (redirect)
With the standard dpay integration, the customer is redirected to the dpay payment page, where they enter their card details. Your infrastructure does not process card data - SAQ A is sufficient.
Server-to-Server integration (S2S)
With S2S integration, card data is encrypted on your site and transmitted through your infrastructure. This model requires:
- PCI DSS certification (minimum SAQ D)
- dpay approval to enable S2S mode
- Regular audits and security scans
To obtain approval for S2S integration, contact the dpay team. We will help determine the required PCI DSS compliance level.
Official resources
- PCI Security Standards Council - official PCI SSC website
- PCI DSS v4.0 - documentation - full standard text
- SAQ list - self-assessment questionnaires for download