Main menu

Pages

PCI Compliance: All Requirements | Shopify (2023) Germany

PCI standards were developed by the PCI Security Standards Council to deter fraudulent online credit card payments. Minimum standards for consumer data security have been developed to increase and strengthen trust in online payment systems. Businesses that process cardholder data must meet PCI compliance requirements.

If companies do not comply with this standard, the result is often heavy fines. In this article, we show you what requirements you need to meet to avoid penalties.


Why is PCI Compliance Important?

Meeting PCI requirements means taking appropriate steps to protect relevant data from cyber theft and fraud. If you don’t meet these, it affects your company and your customers. The consequences could be a cyber attack, potential loss of sales, customers and trust.


Are you ready to turn your ideas into reality?

Try Shopify for free and sell as much as you want!


Table of contents:

What is PCI Compliance?

The Payment Card Industry (PCI) Security Standards Council (an association of major credit card providers) developed PCI DSS, the Payment Card Industry Data Security Standard, in 2006 in response to the growing number of online transactions. Since then, companies processing credit card payments have been obliged to demonstrate PCI compliance as part of the certification process.

Beginning in the early 2000s, the number of businesses accepting credit card payments over the Internet increased dramatically. This has also increased consumer acceptance of online credit card payments.

Read the tips: What is an EPOS system and how does it work?

However, the five largest credit card providers (Visa, MasterCard, American Express, Discover, and JCB) quickly realized that data theft was also becoming more common. PCI DSS was also developed to address this issue. This defines the standard for secure payment processing. This way, you can ensure that sellers take appropriate security precautions when collecting, storing, processing and transmitting cardholder data in credit card transactions. The aim is to prevent, or at least curb, the misuse of consumer and banking data. These Common Criteria and the establishment of the PCI Security Standards Council mark a decisive step toward regulating online payment transactions and protecting consumers and businesses from cyber-attacks.

read tips: In this article, we will show you the tasks of a workshop manager.

PCI compliance requirements

Two women looking at a laptop while looking at an online store.

Each year, organizations must ensure they are compliant with PCI DSS by completing an official PCI SSC verification document. Penalties and fees must be anticipated if requirements are not met.

PCI compliance reduces the risk of a data breach from a cyber attack—but it doesn’t completely eliminate the possibility of a breach. However, card providers can significantly reduce PCI penalties if merchants take all necessary steps to comply.

PCI compliance must meet the following technical and operational standards:

Maintain and build a secure network

All companies need to install and maintain a firewall configuration to protect credit card information.

Protect Cardholder Data

Businesses that store cardholder data after a transaction for reuse in future payments are impacted by this requirement – protecting the stored data is imperative!

When cardholder data is transmitted over open public networks, the data must be encrypted.

Read the tips: What exactly is a point of sale?

Use and regularly update an antivirus program

A virus protection program must be used and regularly updated to protect the system. If the data is hosted on outsourced servers, this requirement applies to the respective server provider.

Strict access control measures

Another critical step in reducing the risk of a security breach is to limit access to sensitive data to as few authorized groups of employees as possible. Organizations do this by providing a unique ID to everyone who is granted access.

Introduce policies to ensure data security

As a final standard, rules should be established for acceptable technology use, review and annual risk analysis procedures, operational security procedures, and other general management tasks.


template icon

Free Webinar: To Your Own Online Store in 30 Minutes

Do you want to see for yourself how fast you can open a store?

Shopify expert and passionate store owner Adrian Piegsa shows you how to register, link domains, choose products, and of course enforce all legal requirements.

join for free


Penalties for violations

Several credit cards lay on the front of the laptop. In this article, we show what threats companies face if they breach PCI compliance.

All requirements listed in the previous section apply to all hardware and web applications, including:

  • point of sale
  • card reader
  • Network and wireless routers in the store
  • Apps and shopping carts for processing online payments
  • Storage and transmission of payment card data
  • Payment card data held in paper form

Enforcing and maintaining PCI compliance requirements is not an easy task for many merchants. Security checks often have to be done, outside consultants installed to install expensive software and hardware, and binding contracts requiring them to agree to the terms of the bank’s annual PCI compliance review. An annual self-assessment is also usually required.

Read the tips: You can read all about POS systems in this article.

But what are the penalties for non-compliance? According to the PCI Compliance Blog, fines are not reported or published, but are usually passed on to the merchant. Banks pass these fines on to merchants in the form of increased transaction fees or termination of business relationships.

Fines can range from $5,000 to $100,000 per month until a merchant achieves PCI compliance. These amounts are realistic for big banks, but small businesses can bankrupt these amounts very quickly.

Shopify’s compliance covers all six PCI standard categories and applies to every store that uses our platform. Shopify is certified as Level 1 PCI DSS compliant. By default, this compliance applies to all Shopify-powered stores.

You can find information about Shopify’s PCI compliance reporting in the Help Center.

How to verify PCI compliance?

All credit card companies have their own level of compliance verification that must be met. As a merchant, you can choose to complete your own PCI Compliance Self-Assessment Questionnaire (SAQ) or contract with a Certified PCI Quality Assessor (QSA).

Read the tips: How to find the right POS app.

PCI QSAs are certified and trained to conduct PCI security assessments. Alternatively, you can complete the SAQ form, which consists of a series of yes or no questions that determine your level of compliance with PCI DSS. Each company must complete this SAQ and submit a quarterly report to the designated organization.

Our successful traders give you their entrepreneurial secrets on our podcast. Worth a listen!

Better subscribe directly to Shopify Podcasts and never miss an episode again!



in conclusion

A laptop sits on a table with an open notebook in the foreground.

Technology that allows customers to pay quickly and easily makes it easy for hackers to gain access to sensitive data. As a result, small businesses that process only a few credit card payments must meet the same stringent card data protection requirements as large retailers that process countless transactions.

When these PCI DSS standards are followed, they will provide all companies with strong protection from cybercrime and increase customer satisfaction and security.

Disclaimer: This article is for informational purposes only and does not constitute professional tax or legal advice. Please seek independent legal or tax advice for information specific to your country and circumstances. Shopify is not responsible for your use or reliance on this information.


Are you ready to turn your ideas into reality?

Try Shopify for free and sell as much as you want!


Frequently Asked Questions About PCI Compliance

What is PCI Certification?

PCI certification ensures data security of credit card data. According to credit card associations, all companies that technically process or store credit card data must comply with PCI standards.

How often must I provide proof of PCI compliance?

PCI DSS certification must be provided at least annually. Regardless of how card data is accepted, businesses are required to complete a PCI validation form annually.

Who is the PSC DSS for?

PCI DSS standards apply to all companies that accept and process credit card payments. The same requirements apply to small companies and large retailers.

How much does it cost to become PCI compliant?

This question cannot be answered in general terms. However, the cost of PCI compliance is small compared to a data breach. You should view PCI compliance costs more as an investment in the security of your business and your customers.


Which method is right for you?About the author: Alice Viete is a content marketing expert. As an agency owner, she supports B2B and eCommerce companies in implementing their personalized content strategies. On the Shopify Blog, she writes about current topics of successful retailers and online transactions.