Data security, Technology

What Are The Security Standards for Online Payment Merchants

shopping onlineDuring the early days of the internet, a large proportion of web users were anxious about paying for goods or services online.

At this time, there were a lot of horror stories being about online fraud and poor data security doing the rounds. Thankfully, since the turn of the century, these worries have greatly subsided, partly due to an increased knowledge of online data security standards. Now, more than £100 billion is spent online by Brits every year.

Online security standards

With this much money changing hands online, it has become more crucial than ever for businesses to adhere to the security standards set by the Payment Card Industry Security Standards Council.

The council, which includes representatives from the world’s biggest card providers, was formed in 2006 with the aim of improving the security standards of all debit and credit card transactions. It has set 12 standards that all merchants, both online and offline, must adhere to when taking card payments.

These data security standards (DSS) measure the strength of a merchant’s online network, encryption of cardholder data, protection against hacks and malware, restriction of staff access to data and how often they test their security process. In order to be registered Payment Card Industry (PCI) compliant, merchants most perform these actions, amongst others, to an acceptable level.

Compliance categories

There are four levels of compliance set by the council. The more transactions a merchant processes, the higher level they have to adhere to. Businesses taking more than six million transactions a year have to comply with Level 1 standards. Those taking less than 20,000 online transactions, or less than one million transactions in total need only conform with Level 4 standards.

The main difference between the four categories is the details in the annual self-assessments they have to complete and send off to their card provider. The basic requirements for all levels remain almost identical.


Merchants of all sizes must be registered as PCI compliant in order to process card payments. This is an ongoing process monitored by annual self-assessments and a quarterly network scan approved by a third party. Those taking card payments without a certificate showing their PCI compliance risk huge fines.

It is card providers, such as American Express, Discover Financial Services, JCB International, Mastercard and Visa, which monitor the compliance of their customers. It is them who will issue the fines to non-compliant customers too.


Those outsourcing their online payment processing should check to ensure that their supplier is PCI DSS compliant. Using a compliant payment provider will reduce the risk of online fraud, prevent theft from the unauthorised use of cards. It will help businesses avoid reputational damage by ensuring they consistently store, process and transmit card data securely. They’ll also avoid potentially crippling fines.

With so much money to be made selling goods online, it’s no wonder that more and more businesses are now accepting card payments over the internet. It must be made clear to these businesses that adhering to the PCI DSS is absolutely mandatory.

The author of this article-Elliot Robinson has been a writer for a decade and has been contributing regularly for various finance blogs. He regularly keeps himself updated with recent trends in the financial market and shares various tips and tricks to run business successfully.

If you have any questions, please ask below!