The Payment Card Industry Data Security Standard


Misuse of stolen credit card data is an unfortunate concomitant of the fact that they can be employed on the internet to make convenient, simple and safe payments. This makes customers feel insecure, while merchants experience regular losses. This problem regularly causes massive damage to the image of companies that accept credit cards. Such criminal activities result in extensive losses for many card companies and online retailers, and also increase the concerns of customers that credit card payments made over the internet are not secure. That is why the largest credit card organisations (VISA, MasterCard, American Express, JBC and Discover Financial Services) agreed to draw up the Payment Card Industry Data Security Standard, or PCI DSS in order to provide  data protection during credit card payments procedures.

Credit card companies require strict compliance with the PCI DSS standard by all affiliated companies that process and/or store data.  This ensures that card data is carefully processed in a constantly protected environment. The standard requires that the whole card payment industry to put in place administrative and technical security measures, while compulsory certification is also required. These sometimes extremely complex and expensive measures are required to protect data security, and are regularly reviewed depending on the level of certification, in some cases by means of on-site auditing. Any merchant who stores, processes or even only transmits card data is obligated to comply with these strict stipulations. Non-certified companies are fully liable for any losses that occur as a result of data theft for which they bear the responsibility. There are four different levels of certification that are determined by annual transaction volume. Payment service providers (PSPs), such as SWISSgate, are subject to the strictest requirements (level 1).

PCI DSS compliance

SWISSgate Technologies AG meets all the requirements of the PCI DSS drawn up by the PCI Council, and is thus permitted to undertake all types of credit card payment settlements.

PCI DSS Certificate SWISSgate Technologies AG

Data storage

The PCI standard stipulates what cardholder data may be stored and what data is to be protected. Thus, it is only permitted under certain conditions to store the abbreviated card number, the name of the cardholder and the expiry date. Very stringent requirements apply to the storage of complete credit card numbers. In all cases, only audited and authorised personnel of a company are permitted access to such data. Strictly confidential identification data, including but not limited to the card verification code, may never be stored. In addition, all available information in written form relating to credit cards must be irretrievably destroyed. Contracting companies that fail to comply with requirements deliberately or due to negligence are punished with significant monetary penalties if data misuse occurs and also any contractual relationship they may have with credit card companies or their agents is usually irrevocably cancelled. 

Level classification

Merchants and payment service providers are classified in four different, exacting categories depending upon their annual card transaction volumes. The level determines the extent to which contractors are subjected to the regular internal and external auditing required to retain or receive PCI DSS certification.

The various requirements and level definitions are set out below:

Relevant business volume

Compliance requirements

LEVEL 1

More than 6,000,000 annual transactions in all channels, including e-commerce

Annual on-site PCI security audits and quarterly network scans

LEVEL 2

1,000,000 - 5,999,999 transactions per year

Annual internal security reporting and quarterly network scans

LEVEL 3

20,000 - 1,000,000 transactions per year

Annual internal security reporting and quarterly network scans

LEVEL 4

Fewer than 20,000 e-commerce transactions per year, and all merchants with up to 1,000,000 transactions through all channels

Annual internal security reporting and quarterly network scans

The benefits of PCI DSS certification

  • The best possible security to protect your customers
  • Enhanced customer confidence, improves the image of your business
  • Continuous increase in credit card transactions
  • Better protection against financial losses
  • Reduction or removal of the risk of being fined by credit card companies

Click on the following links for more information on the PCI DSS:

Are you interested in our products and services or would you like more information? Then get in touch with us and we will be happy to help you. Together we can identify and implement the ideal solution for your requirements.

SWISSgate Technologies AG
Lintheschergasse 10
CH-8001 Zurich | Switzerland

 +41 43 500 05 80

 +41 43 500 17 26

 Contact Us