ENGLISH
Docs Plattform Developer Ticket

PCI DSS Compliance

Description

PCI DSS stands for Payment Card Industry Data Security Standard.

The PCI DSS Council was formerly founded on the 7th of September 2006 by American Express, Discover Financial Services, JCB International, MasterCard and Visa Inc. This standard covers everything about keeping Cardholder Data save.

Definition of Cardholder Data

The term Cardholder Data (short CHD) regarding E-Commerce payments includes:

  • The complete card number (primary account number - PAN)

  • CVV/CVC Code (3 or 4 digit long security code on the back of the card)

Being PCI DSS compliant

When you receive card payments, you have a contract with one or more acquiring banks. These acquiring banks have an obligation to the card schemes (e.g. Mastercard, VISA) to provide some coverage in PCI DSS compliance. It depends on your volume, how and if you are asked to certify for PCI DSS.

It is your responsibility to ensure that you are PCI DSS compliant. Payrexx is happy to help you with this.

Advantages of using Payrexx

  • Payrexx is PCI DSS Level 1 Service Provider compliant and therefore covers most of the > 250 requirements of PCI DSS, to provide an easier way for you to reach conformity. The current AoC of Payrexx is the AoC dated on 12.06.2023.

  • For receiving credit card payments trough other channels than Payrexx (PoS, phone, email) you need to reach further requirements for PCI DSS. Please get in touch with us by creating a ticket.

  • Unless you use a system other than Payrexx, you must comply with PCI DSS within the SAQ-A scope.

Levels of PCI DSS Compliance

The level of compliance is decided by the number of card transactions you receive in a year:

  • Level 1: more than 6 million transactions in a year.

  • Level 2: between 1 - 6 million transactions in a year

  • Level 3: between 20,000 - 1 million transactions in a year

  • Level 4: less than 20,000 transactions per year

Depending on the applicable level, the way PCI DSS compliance is tested differs:

  • Level 1: You must have an on-site assessment performed by a PCI DSS QSA. If this applies to you, please contact our support team by creating a ticket, so we can assist you in this process.

  • Level 2 - 4: You can achieve PCI DSS compliance with a Self-Assessment Questionnaire (SAQ).

Self-Assessment questionnaire

The self-disclosure differs depending on the integration type of Payrexx. Payrexx offers iFrame solutions and a redirect. For this reason, the SAQ-A self-disclosure is sufficient.

A prepared document can be found at: PCI-DSS-v3_2_1-SAQ-A.pdf

Page 7 of the questionnaire

On page 7 you need to fill in information about your company.

Page 8 of the questionnaire

Enter a description of your business in relation to payment cards under "Description of Payment Card Business". You will also need to specify your company headquarters and the data centers used for your web application, if you have integrated Payrexx into your system.

Read the Eligibility to Complete SAQ A section carefully. If you disagree with any of the items, you will likely need to complete another self-disclosure. In this case, please contact our support.

Section 2 of the questionnaire

Section 2 is about the requirements you need to fulfill.

If you only use Payrexx tools without another e-commerce store or application connected to Payrexx, you can mark the following requirements as N/A: 2, 8, 9. Please then continue with requirement 12.

If you have your own software connected to Payrexx, you need to go through all requirements.

Requirement 2

This is applicable to your web hosting / server on which you have installed your web application, which is connected to Payrexx (either with a redirect or modal / iframe solution).

The requirements concern system passwords and other security parameters.

2.1.a - Are vendor-supplied defaults always changed before installing a system on the network?

Make sure that your web server (e.g. FTP account, web hosting account, operating system users, database accounts) does not use default passwords. If you use a web host, get this confirmed in writing.

It is important that you have a written configuration standard that specifies this. You can find a template at: Policy / Procedures Template Download Policy / Procedures Template Download

2.1.b - Are unnecessary default accounts removed or disabled before installing a system on the network?

Make sure that default accounts are disabled. If you use a web host, get this confirmed in writing.

Requirement 8

This is applicable to your web hosting / server on which you have installed your web application which is connected to Payrexx (either with a redirect or modal / iframe solution).

The requirements concerns the authentication and access to those servers.

8.1.1 - Are all users assigned a unique ID before allowing them to access system components or cardholder data?

Make sure that all users (database users, operating system users, ssh users, FTP users) are assigned a unique ID. If you use a web hoster, get this confirmed in writing.

8.1.3 - Is access for any terminated users immediately deactivated or removed?

Ensure that no accounts of terminated employees are active.

8.2 - In addition to assigning a unique ID, is one or more of the following methods employed to authenticate all users? ▪ Something you know, such as a password or passphrase ▪ Something you have, such as a token device or smart card ▪ Something you are, such as a biometric

Make sure that no users are allowed and present without a password. If you use a web hoster, get this confirmed in writing.

8.2.3.a - Are user password parameters configured to require passwords/passphrases meet the following? • A minimum password length of at least seven characters • Contain both numeric and alphabetic characters. Alternatively, the passwords/passphrases must have complexity and strength at least equivalent to the parameters specified above.

Make sure that the passwords meet the requirement.

8.5 - Are group, shared, or generic accounts, passwords, or other authentication methods prohibited as follows: ▪ Generic user IDs and accounts are disabled or removed; ▪ Shared user IDs for system administration activities and other critical functions do not exist; and ▪ Shared and generic user IDs are not used to administer any system components?

Make sure that there are no user accounts that are used by more than one person. General user accounts or default user accounts must be disabled.

It is important that you have a written policy for the requirement 8. You can find a template at: Policy / Procedures Template Download

Requirement 9

This is applicable to your web hosting / server on which you have installed your web application which is connected to Payrexx (either with a redirect or modal / iframe solution).

The requirements concerns the physical security of the servers.

If you use a third-party provider for your hosting, check the requirements with their support.

Since most websites are not hosted on an on-site server, we do not elaborate on this requirement.

If your hosting provider is PCI DSS compliant, check off requirements 9 as N/A (e.g. Amazon Web Services, Google Cloud).

If the hosting provider is not PCI DSS compliant, check with the hosting provider to confirm, and you can mark it as Yes.

Requirement 12

This is applicable to your web hosting / server on which you have installed your web application which is connected to Payrexx (either with a redirect or modal / iframe solution).

The requirements concerns the used providers handling CHD on your behalf.

12.8.1 - Is a list of service providers maintained, including a description of the service(s) provided? Maintain a list of service providers who could impact the security of the cardholder data.

You must have Payrexx on this service provider list.

If you use other payment service providers, you would have to list them as well.

12.8.2 - Is a written agreement maintained that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess or otherwise store, process, or transmit on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment?

You must have an agreement with Payrexx. For this, we provide you with a template: PCI-Agreement-with-Merchants.pdf. Please send the signed agreement to compliance@payrexx.com, to have them signed by Payrexx.

12.8.3 Is there an established process for engaging service providers, including proper due diligence prior to engagement?

Make sure you have a formal process for engaging service providers like Payrexx.

12.8.4 Is a program maintained to monitor service providers’ PCI DSS compliance status at least annually?

Make sure you have a process in place to check Payrexx's PCI DSS compliance on an annual basis.

12.8.5 Is information maintained about which PCI DSS requirements are managed by each service provider, and which are managed by the entity?

Payrexx bears full responsibility for all services provided by *.payrexx.com. You are responsible for the servers/applications that connect to Payrexx.

12.10.1.a Has an incident response plan been created to be implemented in the event of system breach?

Ensure that an Incident Response Plan is maintained to cover a potential security incident. A template for this Incident Response Plan can be found here: Incident Response Plan Template Download.

It is important that you have a written policy for this requirement, 12. You can find a template here: Policy & Procedure Templates.

Signature

With your signature on the self-disclosure, you confirm that you have truthfully completed all questions. You can now send the SAQ to Payrexx at compliance@payrexx.com.

Last updated

Logo

Product

PaymentsE-Commerce ToolsIntegrations & PluginsPricing

Company

About UsCareersBlogNewsletter

Support

ContactStatuspageDownloads

Developer

DocumentationAPI Reference

© Payrexx. All rigths reserved.