PCI Compliance

Meeting the Payment Card Industry Data Security Standards (PCI DSS)

PCI DSS are a set of standards to help protect businesses and shoppers from data theft and fraud. It is mandatory for all businesses who accept card payments to comply by getting PCI DSS accreditation.

This applies to all types of card payments: online, by mail, over the phone or using credit card terminals.

Opayo has the highest level (Level 1) of PCI DSS accreditation.

Becoming PCI DSS compliant

You should speak to your merchant acquiring bank so they can refer you to their preferred Quality Security Assessor (QSA).

No matter what type of payments you're accepting (online, over the phone or using card machines), you'll only need to get PCI DSS accreditation once annually.

Further PCI DSS information and documentation can be found on the PCI Security Standards Council website https://www.pcisecuritystandards.org/document_library/

PCI certificates for businesses accepting online payments

If you're processing payments online through your website, the requirements for Direct integrations vary according to the number of transactions that you will be processing:

Direct integration
Level 4 compliance	Level 4 compliance Less than 20,000 transactions/annum Simplified PCI compliance using an online self-assessment questionnaire with monthly or quarterly vulnerability scans. Complete PCI form SAQ D
Level 3 compliance	20,000 - 1M transactions/annum Remote assessment, compliance validation, monthly vulnerability scans (via 10 IPs) and SSL certificate validation. Complete PCI form SAQ D
Level 2 compliance	1-6M transactions/annum Remote assessment, compliance validation, monthly vulnerability scans (via 50 IPs) and SSL certificate validation. Complete PCI form SAQ D
Level 1 compliance	6M+ transactions/annum Onsite assessment, penetration test and monthly vulnerability scans.