If you take payment online, are you at risk of fraud and liability? PCI DSS explained.


PCI DSS is a set of rules created by the PCI Security Standards Council with the intention of protecting credit and debit card data and enhancing awareness of these standards. The organization was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc.

Many people are confused about this so we have spent some time going through documents trying to un-ravel it for you. In short, if you are using a credit card terminal or are handling customer credit card details then you will need to research this further and probably either need to change the way you accept payments, or become PCI DSS Compliant.

Yes or No! – Do I need to be PCI DSS Compliant?

My web site stores card details for me to put into my credit card terminal. Do I need to be compliant?

Yes you do. If you store, see or handle credit card details, you need to be compliant.

I use a payment service provider to handle my credit card payments. Do I need my shop to be compliant?

No you don’t. If you are using a payment service provider and never see a shoppers credit card details, you do not need to be compliant.

To summarise
If you ever come into contact with a shoppers credit card details, be it using a terminal or a web site to store the data, you DO need to be PCI compliant.

If you never come into contact with a shoppers card details and use a third party like PayPal to handle your web site payments, you DO NOT need to be PCI DSS compliant.

We do, and always have, suggested that clients use third party payment service providers as it takes away the headache of PCI DSS compliance such as SagePay.

For more information visit The PCI Security Standards Council


call us on 01727 739812


  • It's also worth mentioning that PCI standards apply to recorded telephone conversations, so companies who take credit card payments over the phone and who record their calls need to make sure that the call recordings do not store any sensitive credit card data.

    Our company, Veritape, is in the process of launching Veritape CallGuard, a product that will make recorded calls fully PCI compliant. It works either with our own call recording software, or any other call recording system. Especially appealing if a company have invested heavily in an expensive call recording system, only to find that it isn't PCI compliant!

    See http://www.veritape.com for more information.

  • I love your article.

  • facebook

    Most Business Knows How to Use Google, But Most DO Not Know How their Businesses SHOULD Utilize Google to its Benefit