What does PCI-DSS stand for?

PCI stands for Payment Card Industry, while DSS for Data Security Standard.

PCI is a council created by all the major credit card issuers. Its mission is to standardise the way credit card data is handled by merchants and intermediaries.

PCI-DSS is a standard that consists of a set of requirements to be met in order to securely manage the access to credit card data. For example, credit card data must be encrypted, protected, and an authentication system that is able to detect who is accessing this data need to be implemented. Moreover, the standard requires to periodically test the infrastructure.

Axerve Ecommerce Solutions is PCI-DSS 3.2 certified. You can read more about the PCI-DSS standard on the PCI website.

Compliance documentation required by the acquirer

In the activation phase of the Ecommerce acquiring service, the merchant must provide a statement in accordance with the PCI-DSS standard.

The type of certification varies based on the volume of transactions and the type of service offered, and may require the intervention of a certifying entity attested by the PCI-DSS Council. It is important to remember that there is a difference in the certification of a payment service provider (PSP) and of an Ecommerce.

There are 4 levels of certification that require checks and thorough verifications, that depend on the transaction volume per circuit, as shown in the table below.

Certification via QSA (Qualified Security Assessor)

This is the certification required for level 1 Ecommerce and for companies offering payment services (PSPs). It requires the most thorough verification and an annual audit by an external certifying body. At the end of the checks, the ROC (Report of Compliance) and AOC (Attestation of Compliance) are issued by the certifying organization. The ROC includes the precise list of all the checks that were carried out, and the AOC is a public document that summarizes them.

Ecommerce self-certification

These are PCI DSS Self-Assessment Questionnaires (SAQs) and are validation tools intended to assist merchants and service providers in self-assessment of their PCI DSS compliance that are required for merchants of level 2, 3 and 4 merchants. There are multiple versions of SAQs (A, A-EP, B, etc.) to suit various scenarios. Below is a graphic representation that allows you to identify the type of required certification, based on the services offered by the merchant and their field of competence:

Once the perimeter has been identified, based on the diagram above, it is also necessary to evaluate the SAQ (Self-Assessment Questionnaires) certification according to the services activated with Axerve.

SAQ A: Axerve Pay by Link, Lightbox, Standard Payment Page (Pagam).
Axerve, a PCI-DSS certified company, manages all card data.

SAQ A-EP: iFrame (customized payment page), gateway integration via REST API (submitting from the browser and not from the merchant's servers).
The merchant must integrate the gateway as stated in the technical documentation. Axerve manages all card data.

SAQ D: Gateway integration via SOAP / REST API (server-2-server).
The merchant saves the card data on their servers before sending them to Axerve and those must be PCI-compliant, according to the specifications summarized in the previous chapters. Based on the transaction volumes, only the SAQ or a certification via QSA (AOC + ROC) may be required.