Security requirements

Major credit card companies, like Visa and MasterCard, have made it a common cause to prevent card fraud and misuse of cardholder data. The PCI has developed security standards to prevent theft of cardholder data and improve the security in payment card transactions.

Objective

This website provides an easy and effective guide for vendors to develop secure solutions that meet the needs of the merchants’ business and help fulfilling the Visa and MasterCard security requirements. Products that meet the security requirements are listed under validated products. The requirements that these products have met are found under validation.

On this page you can find out more about the mandatory security requirements for:

  • merchants who are accepting payment cards in their stores, restaurants, hotels, etc.
  • vendors who deliver products for card payments to merchants.

Mandatory requirements

These requirements apply to all entities that store, process or transmit cardholder data.

Chip and PIN

The terminal must support chip and PIN.

PCI requirements

The easiest way to comply with the PCI requirements is to use validated products (card readers, terminals, electronic cash registers, etc.) that do not handle or cannot release cardholder data, for example card number, name of the cardholder, expiry date, and security codes (CVV/CVC), to the merchant. You can find all approved products on the page validated products.

Easy checklist for different payment solutions

For terminals and Electronic Cash Registers (ECR):

  • Use terminals that cannot release cardholder data (List 1)
  • Use ECRs that do not handle any cardholder data (List 2)

Alternatively, use global solutions listed on the PCI Security Standard Council's webpage:P2PE

For e-commerce and online payments:

Use a hosted solution, i.e. a solution where the cardholder is redirected to a certified payment service provider (list or the earlier list) and the merchant does not handle any cardholder data.

For unattended solutions:

  • Use terminal components that cannot release cardholder data (List 3)
  • Use UPT Software that do not handle any cardholder data (List 4)
  • Use a secure exterior/shield (List 5)

For self-service solutions:

For self-service or self-checkout points, where customers scan their goods under the surveillance of a cashier, there are special requirements listed in the document (Self Checkout Point )

For terminals, encrypting card readers and encrypting PIN pads:

  • Use terminals, encrypting card readers and encrypting PIN pads that have been validated to fulfil the Security Design requirements. (List 6)

Best Practices

Best practice documents that are not found under validation are found below:

The following documents give guidande on mobile solutions:

Secure Card Handling - Hotel information

The following document give guidance for secure card acceptance at hotels and similar businesses: