Docs
DocsPlattformDeveloperTicket
ENGLISH
ENGLISH
  • Welcome to Payrexx
  • The first steps
    • Overview of Payrexx
    • Account Verification
      • Prohibited Business Models
  • Payments
    • Functionalities
      • Pre-authorization
      • Tokenization
      • Subscriptions
        • Subscriptions managed by Payrexx
        • Subscriptions via tokenization (API)
      • Refunds and Partial Refunds
      • MOTO payments
    • Testing
    • Payment Status
    • Disputes
      • Definition
      • Prevention
        • Fraudulent
        • Credit not processed
        • Duplicate
        • Product not received
        • Product unacceptable
        • Subscription canceled
        • Unrecognized
      • Processing and submitting evidence
        • Fraudulent
        • Credit not processed
        • Duplicate
        • Product not received
        • Product unacceptable
        • Subscription canceled
        • Unrecognized
      • Best Practices
      • FAQ
    • FAQ
  • Payment Services
    • Payrexx Pay and Payrexx Pay Plus
      • Activation and Configuration
      • Function Matrix for Payment Methods
      • Payment methods
        • Alipay
        • American Express
        • Apple Pay
        • Bancontact
        • Centi
        • Click to Pay with Visa
        • Diners Club International
        • Discover Card
        • eps
        • Google Pay
        • iDEAL
        • Klarna
        • Mastercard
        • Pay by Bank
        • PostFinance Pay
        • Przelewy24
        • Purchase on Invoice
        • Reka
        • Samsung Pay
        • SEPA Debit Direct
        • TWINT
          • TWINT "Pay later"
        • Visa
        • WeChat Pay
      • Card Regions and Fees
      • Charging Virtual Credit Cards
    • Payment Provider Feature Matrix
    • Country Availability
    • External Payment Providers
      • Credit Cards and Debit Cards
        • Braintree
        • CCAvenue
        • Clearhaus
        • Datatrans
        • HeyLight
        • Ingenico ePayment
          • Ingenico E-COMMERCE
          • Ingenico ALIAS GATEWAY
        • Mollie
        • Nexi (Concardis)
        • PAYONE
        • PostFinance Checkout
        • Skrill
        • Stripe
        • VIVEUM
        • Worldline (Saferpay)
      • Alternative Payment Methods
        • Amazon Pay
        • Barzahlen/viacash
        • boncard / Lunch-Check
        • Coinbase
        • Giropay
        • Ideal Payment
        • Klarna
        • PayPal
        • Paysafecash
        • PointsPay
        • POWERPAY
        • TWINT
        • WIRpay
        • xMoney
      • Manual Payment Methods
        • Advance Payment
        • Bill
        • Reka-Check
    • Buy Now Pay Later
    • PCI-DSS Compliance
  • Account and administration
    • Dashboard
    • Payments
      • Transactions
      • Subscriptions
      • Pre-Authorization
      • Tokenization
      • Export
    • Payouts
      • Rolling Reserve
    • Customers
    • Reports
    • Tools
      • Pages
        • Products
        • Pages Subscriptions
        • Discount Codes
        • Website Integration
        • Google Merchant Center
      • Paylink
        • Paylink Subscriptions
      • QR Pay
      • Terminal
      • Invoice
      • Donation
        • Donation Subscriptions
        • Website Integration
      • Parameter
    • API and Plugins
    • Webhooks
    • Payment Providers
    • Settings
      • General Settings
        • Multilingual Frontend
        • Google Analytics
        • Facebook Meta Pixel
        • Custom Domain
        • 2-Factor Authentication
      • Company Data
      • Payouts Settings
      • User Administration
      • Look & Feel
      • Notifications
      • Legal
      • Plan and Billing
    • FAQ
  • Integration
    • E-Commerce Systems
      • WooCommerce
      • Shopware 6
      • Shopware 5
      • Magento 2
      • PrestaShop
      • Gambio
      • Shopify
      • MyCommerce
      • Ecwid
      • JTL Shop 5
      • nopCommerce
      • Gravity Forms
      • Sylius
      • CS Cart
      • Odoo
      • saldiaShop
      • FLOW Shopsoftware
    • Content Management Systems (CMS)
      • Cloudrexx
      • Concrete5
      • Drupal
      • Jimdo
      • JoomDonation
      • Modmore
      • Paymattic
      • Weebly
      • WIX
      • Zappter
    • Business Software
      • aforms
      • Cura Fundraising
      • Deinlokal (maaxx)
      • GUVOTO
      • Make
      • Reservation System (HĂĽrlimann Informatik)
      • SelectLine
      • Zapier
    • Other Integrations
  • Point of Sale
    • POS Terminals Overview
    • Ordering a Terminal
    • Tutorials
      • Terminal Basics
      • Operating the Terminal
      • Connecting to the Internet
      • Performing Transactions
      • Managing Transactions
      • Advanced Settings
    • Returning a Terminal
  • Tap to Pay
    • Tap to Pay Overview
    • Setting Up Tap to Pay
    • Processing Payments
    • Transaction Overview
    • Analytics Tools
    • Tap to Pay Settings
  • SUPPORT
    • Payrexx Support Portal
    • Frequently Asked Questions
  • Accessibility
  • Release Notes
    • Release Notes 2025
      • Release 2025.05
      • Release 2025.04
      • Release 2025.02
    • Release Notes 2024
      • Release 2024.11
      • Release 2024.09
      • Release 2024.07
      • Release 2024.05
      • Release 2024.03
      • Release 2024.01
    • Release Notes 2023
      • Release 2023.12
Powered by GitBook
LogoLogo

Product

  • Payments
  • E-Commerce Tools
  • Pricing
  • Feedback

Company

  • About Us
  • Careers
  • Blog
  • Newsletter

Support

  • Contact
  • Statuspage
  • Downloads

Developer

  • Documentation
  • API Reference
  • Integrations & Plugins

© Payrexx. All rigths reserved.

On this page
  • What is PCI-DSS Compliance?
  • What is Cardholder Data?
  • Why Do I Need PCI-DSS Compliance?
  • How Does Payrexx Help?
  • Which Level of PCI-DSS Compliance Do I Need?
  • How Does the Self-Assessment Work?
  • Section 1: Assessment Information
  • Section 2: Self-Assessment Questionnaire A

Was this helpful?

  1. Payment Services

PCI-DSS Compliance

This article addresses PCI-DSS compliance and explains why ensuring it is crucial in the field of card payments.

Last updated 11 months ago

Was this helpful?

You will learn about the different levels of PCI-DSS compliance and how you can achieve PCI-DSS compliance through self-assessment.

What is PCI-DSS Compliance?

PCI-DSS stands for Payment Card Industry Data Security Standard.

The standard was established in 2006 by American Express, Discover Financial Services, JCB International, Mastercard, and Visa with the goal of enhancing the security of cardholder data.

What is Cardholder Data?

The term cardholder data (CHD) in e-commerce transactions includes:

  • The full (Primary Account Number, PAN)

  • The code (3- or 4-digit security code on the back of the card)

Why Do I Need PCI-DSS Compliance?

To accept card payments as a merchant, you need a contract with one or more acquiring banks. These acquiring banks are required by the card networks (e.g., Mastercard or Visa) to ensure a certain level of PCI-DSS compliance.

Depending on your transaction volume, you may be asked to provide evidence of PCI-DSS compliance.

Ensuring PCI-DSS compliance is your responsibility as a merchant. Payrexx is here to support you.

How Does Payrexx Help?

  • If you use only Payrexx, fulfilling PCI-DSS within the SAQ-A scope is sufficient.

Which Level of PCI-DSS Compliance Do I Need?

The required level of compliance depends on the number of card transactions processed annually:

  • Level 1: over 6 million transactions per year

  • Level 2: between 1 and 6 million transactions per year

  • Level 3: between 20 000 and 1 million transactions per year

  • Level 4: fewer than 20 000 transactions per year

The method for validating PCI-DSS compliance depends on the respective level:

  • Level 1: An on-site assessment by a PCI-DSS QSA is mandatory. If this applies to you, please contact our support team so we can assist you with this process.

  • Levels 2 – 4: A self-assessment is sufficient for achieving PCI-DSS compliance.

How Does the Self-Assessment Work?

The type of Self-Assessment Questionnaire (SAQ) required varies based on the integration method. Since Payrexx offers solutions with iFrame and redirect, the SAQ-A self-assessment is sufficient.

The following guide will help you complete the document correctly.

Section 1: Assessment Information

Page 7

Please fill in your company information:

Page 8

Describe your business under "Description of Payment Card Business" in relation to payment cards. Also, list your company's locations and the data centers used by your web application if you have integrated Payrexx into your system.

Page 9

Section 2: Self-Assessment Questionnaire A

Section 2 deals with the various requirements you must meet.

Page 10

If you are only using the Payrexx tools and not an e-commerce shop or any other application associated with Payrexx, you can mark requirements 2, 8, and 9 as N/A. Continue with requirement 12 afterward.

If you are using your own software connected to Payrexx, you must complete all requirements, including numbers 2, 8, and 9.

Requirement 2

Applies to the web hosting or server where your web application connected to Payrexx is installed (either with a redirect, a modal, or an iFrame solution). The requirements concern system passwords and other security parameters.

2.1 (a)

Are vendor-supplied defaults always changed before installing a system on the network?

Ensure that your web server (e.g., FTP account, web hosting account, operating system user, and database accounts) does not use default passwords. If your passwords are managed by a web hosting partner, obtain written confirmation that default passwords are not used.

2.1 (b)

Are unnecessary default accounts removed or disabled before installing a system on the network?

Please ensure that default accounts are deactivated. If you are working with a web hosting partner, obtain written confirmation of this.

Requirement 8

Applies to the web hosting or server where your web application connected to Payrexx is installed (either with a redirect, a modal, or an iFrame solution). The requirements concern authentication and access to the server.

8.1.1

Are all users assigned a unique ID before allowing them to access system components or cardholder data?

Ensure that all users (database, operating system, SSH, and FTP users) are assigned a unique ID. If you are working with a web hosting partner, obtain written confirmation of this.

8.1.3

Is access for any terminated users immediately deactivated or removed?

Ensure that no accounts of terminated employees are active.

8.2

In addition to assigning a unique ID, is one or more of the following methods employed to authenticate all users? â–Ş Something you know, such as a password or passphrase â–Ş Something you have, such as a token device or smart card â–Ş Something you are, such as a biometric.

Ensure that no users are allowed and exist without a password. If you are working with a web hosting partner, obtain written confirmation of this.

8.2.3 (a)

Are user password parameters configured to require passwords/passphrases meet the following? • A minimum password length of at least seven characters • Contain both numeric and alphabetic characters. Alternatively, the passwords/passphrases must have complexity and strength at least equivalent to the parameters specified above.

Ensure that all passwords comply with the requirement.

8.5

Are group, shared, or generic accounts, passwords, or other authentication methods prohibited as follows: â–Ş Generic user IDs and accounts are disabled or removed; â–Ş Shared user IDs for system administration activities and other critical functions do not exist; and â–Ş Shared and generic user IDs are not used to administer any system components?

Ensure that no user accounts are shared among multiple individuals. Generic user accounts or default user accounts must be disabled.

Requirement 9

Applies to the web hosting or server where your web application, connected to Payrexx, is installed (either with a redirect, a modal, or an iFrame solution). The requirements concern the physical security of the servers.

If you use a third-party provider for your hosting, verify the requirements with the support of the hosting partner.

Since most websites are not hosted on-premises, we will not go into detail on this requirement.

If your hosting provider is PCI-DSS compliant, mark requirement 9 as N/A. This applies, for example, to Amazon Web Services or Google Cloud).

If the hosting provider is not PCI-DSS compliant, inquire if they can confirm this. If yes, answer the question with "Yes".

Requirement 12

Applies to the web hosting or server where your web application, connected to Payrexx, is installed (either with a redirect, a modal, or an iFrame solution). The requirements concern the providers handling CHD on your behalf.

12.8.1

Is a list of service providers maintained, including a description of the service(s) provided? Maintain a list of service providers who could impact the security of the cardholder data.

In principle, you must have Payrexx on this list of service providers. If you use additional payment service providers, you must also list them.

12.8.2

Is a written agreement maintained that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process, or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment?

12.8.3

Is there an established process for engaging service providers, including proper due diligence prior to engagement?

Ensure that you have a formal process for engaging service providers like Payrexx.

12.8.4

Is a program maintained to monitor service providers’ PCI-DSS compliance status at least annually?

Ensure that you have a process in place to annually review the PCI-DSS compliance of Payrexx.

12.8.5

Is information maintained about which PCI-DSS requirements are managed by each service provider, and which are managed by the entity?

Payrexx assumes full responsibility for all services provided by *.payrexx.com. You are responsible for the servers and applications that connect to Payrexx.

12.10.1.a

Has an incident response plan been created to be implemented in the event of system breach?

Signature

Payrexx is PCI-DSS Level 1 Service Provider compliant, covering many of the more than 250 PCI-DSS requirements. This simplifies the process for you to achieve PCI-DSS compliance. The current from Payrexx is dated June 10, 2024.

If you receive cardholder data through other channels (e.g., at the Point of Sale, over the phone, or via email) in addition to Payrexx, you must meet additional requirements beyond those mentioned in this article. Please contact our for further assistance.

A prepared document in English can be found under .

Please read the "Eligibility to Complete SAQ A" section carefully first. If you do not agree with one or more points, you will likely need to complete a different self-assessment. Please contact our team in this case.

It is important to document the configuration standard in writing. You can find a template for this under .

It is important to have a written policy for requirement 8. You can find a template for this under .

You need an agreement with Payrexx. For this purpose, we are happy to provide you with the template . Please send the signed agreement to for Payrexx to countersign.

Ensure that an Incident Response Plan is maintained to address a potential security incident. A template for this can be found under .

It is important to have a written policy for this requirement 12. You can find a template for this under .

By signing the self-assessment, you confirm that you have truthfully completed all questions. You can now send the Self-Assessment Questionnaire to Payrexx at:

card number
CVV/CVC
Attestation of Compliance (AoC)
support team
PCI-DSS-v3_2_1-SAQ-A.pdf
support
Policy / Procedures Template Download
Policy / Procedures Template Download
PCI-Agreement-with-Merchants.pdf
compliance@payrexx.com
Incident Response Plan Template Download
Policy / Procedures Template Download
compliance@payrexx.com
Company data in section 1 of the self-assessment for achieving PCI-DSS compliance.
Information on Payment Card Business in section 1 of the self-Assessment
Verification of Eligibility for PCI-DSS Compliance in section 1 of the self-assessment