I have questions about PCI - DSS

What is PCI - DSS?

Payment Card Industry Data Security Standard (PCI - DSS) sets out the requirements for merchants to safely and secure handle card payments. This is critical to protect privacy and prevent fraud and data breaches. It aims to provide protection on the sensitive information throughout the lifecycle of a card transaction (from card acceptance to payment processing). 

PCI compliance is a result of the formation of the PCI Security Council and the Payment Card Industry Data Security Standard which was implemented by the five major card schemes - VISA, Mastercard, Discover, American Express and JCB. These standards help ensure that there are consistent global standards to cardholder protections. 

For information about the PCI - DSS standards you can visit: pcisecuritystandards.org 

 

PCI - DSS levels of compliance obligations

To begin to understand your level of PCI - DSS compliance that you must abide by, firstly determine which ‘Level’ of Compliance you fall under using the below. Note that below is based on the most recent 52 week period.

PCI DSS Level

Description

Level 1

Merchants processing over 6 million VISA or Mastercard transactions annually.

OR

Global merchants identified as Level 1 in any VISA or Mastercard region.

Level 2

Merchants processing between 1 million and 6 million VISA or Mastercard transactions annually across all channels. 

Level 3

Merchants processing between 20,000 and 1 million Visa or Mastercard e-commerce transactions annually. 

Level 4

Merchants processing less than 20,000 Visa or Mastercard e-commerce transactions and other merchants processing up to 1 million VISA or Mastercard transactions annually.

Source: Visa PCI DSS Compliance

 

Who needs to be PCI - DSS compliant? 

Any merchant who accepts payment cards (credit or debit) and/or transmits cardholder information must be PCI compliant and follow the necessary requirements. The requirements to be complied with will depend on a variety of factors including the nature of the organisation and the number and size of transactions.

Airwallex customers who have the Online Payments product will need to ensure that they are compliant with the relevant PCI - DSS compliance requirements. You can use the below as a guide.

PCI - DSS Compliance Levels

Level 2

Level 3 Level 4

Get paid/ Pay By Link

No PCI - DSS Requirements.

API only integration

Submit a PCI-DSS AOC and renew annually. 

Drop-in field integration

Submit a PCI-DSS SAQ A-EP questionnaire and renew according to the specific policy.

Embedded fields integration (or any of our Shopping Platform plugins)

Hosted Payments Page integration

Submit a PCI-DSS SAQ A questionnaire and renew according to the specific policy.

WooCommerce and Magento

Submit a PCI-DSS SAQ A-EP questionnaire and renew according to the specific policy.

Note that if you are a Level 1 Merchant and are using Online Payments other than Get Paid/Pay by Links, then you will need the below: 

  1. File a Report on Compliance by a Qualified Security Assessor or an Internal Auditor if signed by an officer of the company.
  2. Submit and Attestation of Compliance (AOC) form.
  3. Conduct a quarterly scan by an Approved Scan Vendor (ASV).

I need to become PCI DSS compliant. How do I become PCI DSS compliant?

If you have determined that you need to comply with PCI - DSS compliance, Airwallex can guide you in terms of the process.

If you've completed the PSS - DCI form within the last 12 months, you can provide this to Airwallex.

Use the previous table to understand what forms you need to fill in. You can download the files below.

- SAQ A - Word Doc

- SAQ A-EP - Word Doc

- Attestation of Compliance

  1. Word Doc - AOC for SAQ A
  2. Word Doc - AOC for SAQ A-EP
  3. As the merchant, you are required to complete the forms.

As the merchant, you will send the complete forms to your Airwallex account manager or contact our customer support team.

If you do not provide the relevant information or do not satisfy the relevant PCI - DSS compliance requirements, Airwallex may choose to not provide/suspend payment services.

What happens if I am not PCI - DSS compliant?

Card schemes determine ‘Non-compliance’ and can impose significant fines. Fines can double each quarter you do not remediate your PCI - DSS non-compliance. For those customers who are in the EU, a PCI DSS breach is also a GDPR breach as cardholder information is personal data.

Need help filling in SAQ forms?

- Appendix A: SAQ A Form

- Appendix B: SAQ A-EP Form

Powered by Zendesk