Ingenico ePayments is a Payment Card Industry Data Security Standard (PCI-DSS) certified organization.

PCI-DSS is an information security standard that has been created by the major credit card companies (American Express, Discover, JCB, MasterCard and Visa) to improve controls around credit card data handling and to reduce fraud.

For more information about our PCI-DSS certificate, please click here.


  • I am a small merchant. Does PCI DSS apply to me?

    PCI DSS applies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers and service providers, as well as all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).

    Does PCI DSS apply to entity using a third-party service provider (TPSP)?

    Yes. The use of a third-party service provider (TPSP) does not relieve the entity of ultimate responsibility for its own PCI DSS compliance, or exempt the entity from accountability and obligation for ensuring that its cardholder data (CHD) and card data environment (CDE) are secure. However, the use of a third-party service provider may decrease the risk exposure and reduce the effort for validating and maintaining PCI DSS compliance.

  • What is the PCI effort for a merchant?
    The effort for a merchant is strongly dependent on a number of factors such as the merchant level, type of integration, supporting infrastructure, the usage of PCI DSS certified service providers, etc.
  • What are Self Assessment Questionnaires (SAQs)?

    The PCI DSS SAQ is a validation tool for merchants and service providers that are not required to undergo an on-site data security assessment per the PCI DSS Security Assessment Procedures. The purpose of the SAQ is to assist organizations in self-evaluating compliance with the PCI DSS, and you as a merchant may be required to share it with your acquiring bank. Please consult your acquirer for details regarding your particular PCI DSS validation requirements.

  • Who has the authority in the selection merchant level and SAQ type?

    It is the Merchant acquirer that has the authority of defining the merchant level based on the number of annual transactions. Depending on the merchant level (being a level 2, 3 or 4) the merchant might be eligible for using a Self Assessment Questionnaire (SAQ). The type of SAQ is strongly linked to the payment flow and whether the merchant captures, processes, stores or transmits card holder data such as the card number.

  • What type of SAQ could be applicable to me as a merchant?

    If a merchant is eligible to use SAQs, then the type is strongly dependent on the type of integration and the fact whether the merchant ever touches card numbers (PAN) and sensitive authentication data (e.g. CVC, Track2, …)

    In order to identify the type of SAQ the merchant should consult the acquiring bank. The acquiring bank will provide the details regarding your particular PCI DSS validation requirements. When being eligible for SAQ and having access to card data being the PAN, CVC, …; typically the acquiring bank will require you to fill in the SAQ-D questionnaire.

    However when you as merchant do not have access to any card holder data and the processing of the payment flows is outsourced to a PCI compliant payment service provider (PSP); then the acquiring bank could opt for either a SAQ A or SAQ A-EP.

    For more information, see Understanding SAQs for PCI DSS v3.

  • Comparison of the SAQ A vs SAQ A-EP

    The comparison of the applicability for the SAQ A and SAQ A-EP is depicted in the table below.

     

    SAQ A
    All Cardholder Data Functions Completely Outsourced

    SAQ A-EP
    Partially Outsourced E-Commerce Payment Channel

    Applies to:

    Card-not-present merchants (e-commerce or mail/telephone-order)* E-commerce merchants

    Functions Outsourced

    All payment acceptance and processing are entirely outsourced to PCI DSS validated third-party service providers All processing of cardholder data is outsourced to a PCI DSS validated third-party payment processor

    Control of Cardholder Data

    Merchant's e-commerce website does not receive cardholder data and has no direct control of the manner in which cardholder data is captured, processed, transmitted, or stored Merchant's e-commerce website does not receive cardholder data but controls how consumers, or their cardholder data, are redirected to a PCI DSS validated third-party payment processor

    Payment pages

    The entirety of all payment pages delivered to the consumer’s browser originates directly from a PCI DSS validated third-party service provider(s) All elements of payment pages that are delivered to the consumer’s browser originate from either the merchant’s website or a PCI DSS compliant service provider(s)

    Third-Party Compliance

    Merchant confirmed that all third party(s) handling acceptance, storage, processing, and/or transmission of cardholder data are PCI DSS compliant Merchant confirmed that all third party(s) handling storage, processing, and/or transmission of cardholder data are PCI DSS compliant

    Merchant Systems

    Merchant does not electronically store, process, or transmit any cardholder data on their systems or premises, but relies entirely on a third party(s) to handle all these functions

    Data Retention

    Merchant retains only paper reports or receipts with cardholder data, and these documents are not received electronically
  • Where can I find more information on PCI DSS?

    For more information the merchant can always contact his acquiring bank.

    All PCI related information can be found on the PCI Security Standard council website.

This website uses cookies to be able to give you the best user experience. If you don't want to accept these cookies, we allow you to change the cookie settings. Click 'Accept' to allow all cookies from this website.

Cookie settings

Introduction

Functional

Functional cookies are required for the website to operate correctly. These cookies cannot be disabled.

Optimized

Optimization cookies allow us to analyze site usage so we can measure and improve our website.
This is the default level.

Personalized

Personalization cookies are used for social media and advanced personalization. They allow us to show you information related to your company.


Example functionality allowed

  • Store country preference
  • Store language preference

Example functionality not allowed

  • Saving personal data
  • Anonymous tracking via Google Analytics
  • Tracking for remarketing purposes

Example functionality allowed

  • Store country preference
  • Store language preference
  • Anonymous tracking via Google Analytics

Example functionality not allowed

  • Saving personal data
  • Tracking for remarketing purposes

Example functionality allowed

  • Store country preference
  • Store language preference
  • Anonymous tracking via Google Analytics
  • Serve content relevant to your interests
  • Serve ads relevant to your interests
  • Tracking for remarketing purposes

Example functionality not allowed

  • Saving personal data