What is PCI-DSS?
The Payment Card Industry Data Security Standard (PCI-DSS) sets out the requirements for in-scope merchants and service providers to securely handle card payments. These requirements are necessary to protect the security of card account data and prevent fraud and data breach events. The requirements span the protection of card account data throughout the lifecycle of a card transaction event (from card acceptance to payment processing).
Compliance against PCI-DSS is administered by the PCI Security Standards Council (PCI-SSC) made up of the five major card schemes - Visa, Mastercard, American Express, Discover, and JCB.
For information about the PCI-DSS standard, you can visit: pcisecuritystandards.org
PCI-DSS levels of compliance obligations
To begin to understand your level of PCI-DSS compliance that you must abide by, firstly determine which ‘Level’ of Compliance you fall under using the below table. Note that the thresholds in the below table are based on the most recent 52 week period. Note also that as long as you are classified at a certain merchant level by one card scheme, you are that level for all other card schemes.
| PCI-DSS Merchant Level | Description |
| Level 1 |
Merchants processing over 6 million Visa,Mastercard, or Discover transactions annually. OR Merchants processing over 2.5 million American Express transactions annually. OR Merchants processing over 1 million JCB transactions annually. OR Merchants otherwise identified as Level 1 by any of the card schemes. |
| Level 2 |
Merchants processing between 1 million to 6 million Visa,Mastercard, or Discover transactions annually.. OR Merchants processing between 50,000 to 2.5 million American Express transactions annually. OR Merchants processing less than 1 million JCB transactions annually (in-scope as long as JCB card processing is included in your merchant agreement with your processor). |
| Level 3 |
Merchants processing less than 1 million Visa transactions annually. OR Merchants processing between 20,000 to 1 million Mastercard e-commerce transactions annually. OR Merchants processing 10,000 to 50,000 American Express transactions annually. OR Merchants processing less than 1 million Discover transactions annually (in-scope as long as Discover card processing is included in your merchant agreement with your processor). |
| Level 4 |
Merchants processing less than 20,000 Mastercard e-commerce transactions OR Merchants processing up to 1 million Mastercard transactions annually. OR Merchants processing less than 10,000 American Express transactions annually. |
Source: Visa Merchant Levels, Mastercard Merchant Levels, American Express Merchant Levels, Discover Merchant Levels, JCB Merchant Levels
Who needs to be PCI-DSS compliant?
Any merchant who accepts payment cards (credit or debit) and/or transmits cardholder information must be PCI-DSS compliant and follow the necessary requirements. The requirements to be complied with will depend on a variety of factors including the nature of the organisation, the nature of certain integrations, and the number and size of transactions.
Airwallex customers who have the Online Payments product will need to ensure that they are compliant with the relevant PCI-DSS compliance requirements. You can use the below as a guide.
| PCI-DSS Compliance Levels | Level 2 | Level 3 | Level 4 |
| Get paid/Pay By Link | No PCI-DSS Requirements. | ||
| API only integration | Submit a PCI-DSS ROC AOC and renew annually. | ||
| Drop-in field integration | Submit a PCI-DSS SAQ A questionnaire and renew annually. | ||
| Embedded fields integration (or any of our Shopping Platform plugins) | |||
| Plugins | |||
| Hosted Payments Page integration | |||
| MOTO | Submit a PCI-DSS C-VT questionnaire and renew annually. | ||
| POS | Submit a PCI-DSS SAQ B-IP questionnaire and renew annually. | ||
| Mobile SDK | Submit a PCI-DSS SAQ A questionnaire if the Cards module is used. | ||
Note that if you are a Level 1 Merchant and are using Online Payments other than Get Paid/Pay by Links, then you will need the below:
- Complete aReport on Compliance signed off by a Qualified Security Assessor .
- Submit an Attestation of Compliance (AOC) to Airwallex
- Conduct a quarterly scan by an Approved Scanning Vendor (ASV).
I need to become PCI-DSS compliant. How do I become PCI-DSS compliant?
If you have determined that you need to comply with PCI-DSS compliance, Airwallex can guide you in terms of the process.
If you've completed the relevant PCI-DSS form within the last 12 months, you can provide this to Airwallex.
Use the previous tables to understand what forms you need to fill in. You can download the files from the official PCI document library in your preferred language.
As the merchant, you are required to complete the forms and send them to your Airwallex account manager or contact our customer support team.
If you do not provide the relevant information or do not satisfy the relevant PCI-DSS compliance requirements, Airwallex may choose to not provide/suspend payment services.
What happens if I am not PCI-DSS compliant?
Card schemes determine ‘Non-compliance’ and can impose significant fines. Fines can double each quarter if you do not remediate your PCI-DSS non-compliance. For those customers who are in the EU, a PCI-DSS breach is also a GDPR breach as cardholder information is personal data.
Need help filling in SAQ forms?
- Appendix A: SAQ A Form