Payment Card Industry Data Security (PCI DSS)

The Payment Card Industry Data Security Standard, or PCI DSS for short, was developed by the PCI Security Standards Council and is a globally accepted security standard for credit card transactions that aims to protect consumers and businesses from data misuse and fraud. Essentially, the set of rules contains twelve different requirements for companies that offer credit card payments. Since all major credit card companies, such as VISA, Mastercard and American Express, have agreed on this standard, it is legally binding for all participating companies, such as subscription-based services providers or online shop operators. In this article, you will learn everything you need to know about PCI DSS compliance for your company and for the selection of tool and platform providers, what requirements are placed on companies and what advantages are associated with compliance with the PCI Data Security Standards.

What is PCI DSS?

PCI DSS certified company | Company billwerk GmbH | Payment Card Industry Data Security Standard


The PCI DSS is a binding standard of all credit card organisations and serves to protect card accepting companies and buyers from data theft. A prerequisite for effective PCI compliance is that PCI DSS compliance is mandatory regulated in the company’s GTC. In addition, proof must be provided regularly that the company continues to be PCI compliant.

The PCI security standards are based on the respective security rules of the credit card organisations VISA, Mastercard, American Express, Discover and JCB. All businesses that accept credit cards as payment methods are affected by these regulations. A distinction is made between:

  • Large merchants and service providers with more than 6 million credit card transactions per year
  • Merchants between 20,000 and 6 million transactions 
  • E-commerce merchants with less than 1 million transactions

An e-commerce merchant must commission a PCI DSS-certified service provider for transaction processing in order to be able to offer PCI-compliant payment transactions. To this end, banks and savings banks also provide advice and support and often offer their own or partner merchant services to carry out vulnerability analyses or security checks on site.

However, it is only possible to mention PCI DSS compliance in the GTC when all twelve requirements for a company’s computer network have been met.

What are the requirements for PCI DSS compliance?

The PCI Rulebook, which every merchant or service provider must comply with, consists of twelve mandatory requirements:

  • Installing and regularly updating the firewall to protect data
  • Regularly change system passwords or other security settings, and do not use default passwords, such as those provided by suppliers or manufacturers.
  • Protecting the stored data of credit card holders is a top priority. This includes not storing them unnecessarily (e.g. only part of the credit card number and no PINs or verification codes)
  • Encrypted transmission of cardholder data and sensitive information in open networks
  • Use and regularly update recognised anti-virus software
  • Development and use of secure systems and applications
  • Ensuring that data access is limited to business purposes only
  • Each person with computer access needs their own user ID
  • Restricting physical access to credit cardholder data
  • Recording and monitoring of all access to network resources and credit card holder data
  • Regular review of all safety systems and process flows
  • Establishing and adhering to a company policy that regulates the topic of information security

The PCI Security Standards Council offers more detailed Resources on the topic.

What does this mean in the subscription economy?

In addition to digital payment methods such as SEPA direct debit, Paypal or In-App-Purchase, credit-card payment is often used by subscription customers in Germany with a share of approx. 8%, even if its share of the payment methods used is dwindling in relative terms. The PCI Data Security Standard must therefore be the basis for every subscription business model in order to maintain a trusting relationship with customers. The special feature of subscription-based business models is the recurring and automated process for which the customer has concluded a contract with the company.

So, on the one hand, a subscription provider must ensure convenient payment processing that does justice to a subscription; on the other hand, the security of the customer’s data and thus the limited storage of his data has the highest priority.

What are the benefits of PCI DSS?

A company that offers PCI DSS compliant credit card payment not only takes an enormous leap of faith with potential customers, but at the same time opens up the market of customers who prefer the credit card payment method. E.g. start-ups and companies in formation must be aware that credit card payment can only be offered as an option if they comply with the PCI regulations. What sounds like a lot of bureaucracy also has its good side operationally. Many service providers offer an all-round carefree package where the credit card payment method can be implemented with little technical know-how.

Conclusion: Future-proof safety standard

The PCI Data Security Standard is a globally accepted protection for buyers and sellers. Due to its integrity and prevalence, there is currently no reason to believe that this will change in the foreseeable future. What will change, however, are the security standards themselves. Ongoing updates to take account of the constant threats from outside are therefore imperative. The rules and checks described must therefore not only be introduced and constantly adhered to, but also always updated in a timely manner. Only in this way can customers, but also one’s own company, be protected from unwanted access and criminal acts.

Therefore, when selecting a subscription management platform and in the case of any in-house development, pay attention to PCI DSS compliance of the provider/developer. Ideally, this should be PCI DSS certified.