PCI DSS Compliance
PCI DSS stands for Payment Card Industry Data Security Standard.
The PCI DSS Council was formerly founded on the 7th of September 2006 by American Express, Discover Financial Services, JCB International, MasterCard and Visa Inc.
This standard covers everything about keeping Cardholder Data save.
The term Cardholder Data (short CHD) regarding E-Commerce payments includes:
When you receive card payments, you have a contract with one or more acquiring banks. These acquiring banks have an obligation to the card schemes (e.g. Mastercard, VISA) to provide some coverage in PCI DSS compliance. It depends on your volume, how and if you are asked to certify for PCI DSS.
It is your responsibility to ensure that you are PCI DSS compliant. Payrexx is happy to help you with this.
- Payrexx is PCI DSS Level 1 Service Provider compliant and therefore covers most of the > 250 requirements of PCI DSS, to provide an easier way for you to reach conformity. The current AoC of Payrexx can be founde here: https://www.payrexx.com/Payrexx-AOC-PCI-DSS-v3-2-1-20220726_signed.pdf
- For receiving credit card payments trough other channels than Payrexx (PoS, phone, email) you need to reach further requirements for PCI DSS. Please get in touch with us by creating a ticket.
- Unless you use a system other than Payrexx, you must comply with PCI DSS within the SAQ-A scope.
The level of compliance is decided by the number of card transactions you receive in a year:
- Level 1: more than 6 million transactions in a year.
- Level 2: between 1 - 6 million transactions in a year
- Level 3: between 20,000 - 1 million transactions in a year
- Level 4: less than 20,000 transactions per year
Depending on the applicable level, the way PCI DSS compliance is tested differs:
- Level 1: You must have an on-site assessment performed by a PCI DSS QSA. If this applies to you, please contact our support team by creating a ticket, so we can assist you in this process.
- Level 2 - 4: You can achieve PCI DSS compliance with a Self-Assessment Questionnaire (SAQ).
The self-disclosure differs depending on the integration type of Payrexx. Payrexx offers iFrame solutions and a redirect. For this reason, the SAQ-A self-disclosure is sufficient.
On page 7 you need to fill in information about your company.

Enter a description of your business in relation to payment cards under "Description of Payment Card Business".
You will also need to specify your company headquarters and the data centers used for your web application, if you have integrated Payrexx into your system.

Read the Eligibility to Complete SAQ A section carefully. If you disagree with any of the items, you will likely need to complete another self-disclosure. In this case, please contact our support.

Section 2 is about the requirements you need to fulfill.
If you only use Payrexx tools without another e-commerce store or application connected to Payrexx, you can mark the following requirements as N/A: 2, 8, 9.
Please then continue with requirement 12.
If you have your own software connected to Payrexx, you need to go through all requirements.
This is applicable to your web hosting / server on which you have installed your web application, which is connected to Payrexx (either with a redirect or modal / iframe solution).The requirements concern system passwords and other security parameters.
Make sure that your web server (e.g. FTP account, web hosting account, operating system users, database accounts) does not use default passwords. If you use a web host, get this confirmed in writing.
It is important that you have a written configuration standard that specifies this. You can find a template at: Policy / Procedures Template Download Policy / Procedures Template Download
Make sure that default accounts are disabled. If you use a web host, get this confirmed in writing.
This is applicable to your web hosting / server on which you have installed your web application which is connected to Payrexx (either with a redirect or modal / iframe solution).The requirements concerns the authentication and access to those servers.
Make sure that all users (database users, operating system users, ssh users, FTP users) are assigned a unique ID. If you use a web hoster, get this confirmed in writing.
Ensure that no accounts of terminated employees are active.
Make sure that no users are allowed and present without a password. If you use a web hoster, get this confirmed in writing.
8.2.3.a - Are user password parameters configured to require passwords/passphrases meet the following? • A minimum password length of at least seven characters • Contain both numeric and alphabetic characters. Alternatively, the passwords/passphrases must have complexity and strength at least equivalent to the parameters specified above.
Make sure that the passwords meet the requirement.
Make sure that there are no user accounts that are used by more than one person. General user accounts or default user accounts must be disabled.
It is important that you have a written policy for the requirement 8. You can find a template at: Policy / Procedures Template Download
This is applicable to your web hosting / server on which you have installed your web application which is connected to Payrexx (either with a redirect or modal / iframe solution).The requirements concerns the physical security of the servers.
If you use a third-party provider for your hosting, check the requirements with their support.
Since most websites are not hosted on an on-site server, we do not elaborate on this requirement.
If your hosting provider is PCI DSS compliant, check off requirements 9 as N/A (e.g. Amazon Web Services, Google Cloud).
If the hosting provider is not PCI DSS compliant, check with the hosting provider to confirm, and you can mark it as Yes.
This is applicable to your web hosting / server on which you have installed your web application which is connected to Payrexx (either with a redirect or modal / iframe solution).The requirements concerns the used providers handling CHD on your behalf.
You must have Payrexx on this service provider list.
If you use other payment service providers, you would have to list them as well.
12.8.2 - Is a written agreement maintained that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process, or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment?
You must have an agreement with Payrexx. For this, we provide you with a template: https://www.payrexx.com/pcidss/PCI-Agreement-with-Merchants.pdf.
Please send the signed agreement to [email protected], to have them signed by Payrexx.
Make sure you have a formal process for engaging service providers like Payrexx.
Make sure you have a process in place to check Payrexx's PCI DSS compliance on an annual basis.
Payrexx bears full responsibility for all services provided by *.payrexx.com. You are responsible for the servers/applications that connect to Payrexx.
Ensure that an Incident Response Plan is maintained to cover a potential security incident. A template for this Incident Response Plan can be found here: Incident Response Plan Template Download
It is important that you have a written policy for this requirement, 12. You can find a template here: Policy & Procedure Templates
With your signature on the self-disclosure, you confirm that you have truthfully completed all questions. You can now send the SAQ to Payrexx at [email protected].
Last modified 1mo ago