Information on PCI DSS
and requirements under PCI DSS v4.0

Summary: The Payment Card Industry Data Security Standard (PCI DSS) defines operational and technical measures to increase security and stability in the processing of (payment) cardholder data. The regulations apply to all companies involved in the collection, recording, storage or processing of cardholder data. Acquirers have undertaken to contractually verify compliance with defined requirements on the part of companies that accept credit card payments. By using the payment page or iFrame integration of Wallee Group AG - as a Level 1 compliant service provider - merchants and store operators avoid their own time-consuming PCI audit, as the actual processing of cardholder data takes place exclusively at wallee. Merchants who use wallee usually only have to submit a self-assessment via the PCI Self-Assessment Questionnaire (PCI SAQ) in its simplest form (PCI SAQ A) to their acquirer. For customers of wallee All-in-One (acquiring via wallee), this is particularly easy and convenient via the PCI SAQ A online form in the wallee portal. This is needed annually.

    1. General information about PCI

    1. What is PCI DSS?

      PCI DSS is short for Payment Card Industry Data Security Standard (PCI DSS). This standard defines both operational and technical measures to increase security and stability in payment transactions, in particular in the processing of credit card transactions, for all parties involved. It is jointly defined by the Payment Card Industry Security Standards Council (PCI SSC), which is supported by all major credit card organizations.

    2. Who is affected by PCI DSS?

      As a common set of rules, PCI DSS is intended to promote and improve the security and protection of customer and cardholder data when processing payments. In this respect, PCI DSS affects all companies involved in the collection, recording, storage or processing of cardholder data, such as credit card issuers and payment service providers, but also all companies that accept (credit card) payments (merchants), e.g. via their website.

    3. PCI conformity (compliance)

      All companies that collect, process, store or transmit cardholder data are affected by PCI DSS. Acquirers and payment service providers are committed to implementing the global industry standard to increase security for cardholders, reduce fraud and reduce the likelihood of malicious attacks through standardized technical and operational measures. To ensure PCI compliance, acquirers contractually verify compliance with defined requirements by the companies that accept credit card payments.

      Based on the way payment data capture is handled, this can lead to costly and time-consuming checks that require massive investment in your security infrastructure. If this is not done properly and credit card data is stolen, it can result in heavy fines.

    1. wallee and PCI

    1. The Wallee Group AG is PCI Level 1 Compliant

      As a service provider, the Wallee Group is PCI-compliant to Level 1, the highest level of data security in the credit card industry. Annual audits verify that we meet all technical and operational requirements to ensure the best possible data security when processing card payments. You can access our current certification here PCI DSS Validation Certificate

      Wallee Group AG is PCI compliant as Service Provider Level 1

    2. What does this mean for you as a wallee customer?

      All companies that process credit card payments must be compliant with the PCI Data Security Standards (PCI DSS). The good news: By using the payment page or iFrame integration from wallee - as a Level 1 compliant service provider - you avoid your own time-consuming PCI audit, because the actual processing of cardholder data takes place exclusively at wallee and not on your servers.

      However, depending on the product scope, we or your acquirer must ensure that your website, on which you integrate payment processing via wallee, also fulfills certain requirements. For this purpose, you as a merchant must submit an annual self-assessment. This is done via the so-called PCI SAQ (PCI Self-Assessment Questionaire).

    1. PCI Self-Assessment Questionaire (PCI SAQ)

    1. What is the PCI Self-Assessment Questionnaire (PCI SAQ)?

      We or your acquirer are obliged to request an annual self-assessment from you in order to check your PCI compliance. The PCI SSC provides a questionnaire for this self-assessment, the so-called PCI SAQ (PCI Self-Assessment Questionaire). By outsourcing the actual processing of cardholder data to wallee through the use of the Payment Page or iFrame integration, the simplest form, the PCI SAQ-A, is usually sufficient for this purpose. This is a series of yes/no questions that you must answer annually.

    2. How is the PCI SAQ completed?

      Your acquirer is ultimately responsible for obtaining the self-assessment information from you. Therefore, who and how you can verify the information depends on the product scope you use with us:

      1. You use wallee All-in-One (acquiring via wallee)

        With All-in-One, you use wallee not only for payment processing, but also as an acquirer. In this case, we are responsible for verifying PCI compliance and obtaining the PCI SAQ A information from you. In this case, it is also particularly easy, because the SAQ A is filled out as an online form directly in the wallee portal and is already prefilled with basic informationen, that we already have from you. If you have any questions, please contact our Support.

      2. You use wallee with acquiring via third-party providers

        Your acquirer is responsible for verifying PCI compliance and requesting appropriate documentation from you. The process may vary depending on the acquirer. By using the payment page or iFrame integration of wallee, the information according to the PCI SAQ A should usually be sufficient. You can download the official questionnaire here. However, it is possible that your acquirer will request additional information from you. If you have any questions, please contact your acquirer directly.

    3. How often does a self-assessment have to take place?

      The questions of the PCI SAQ A must be answered annually to ensure continuous PCI compliance and to include new requirements. If you use wallee All-in-One, you will be automatically notified in the wallee portal as soon as it is required (again) and can easily complete the PCI SAQ A online directly in the portal.

    1. PCI DSS v4.0

    1. New features and changes under PCI DSS v4.0

      Since March 2025, implementation of the latest version of PCI DSS version 4.0 has been mandatory. This provides for significantly higher requirements for websites and store operators in terms of IT and protective measures as well as more complex controls and verification. With the publication of revision 4.0.1 in February 2025, some of the requirements were slightly loosened again, to the extent that no additional technical controls (in addition to the PCI SAQ A requirements described above) are necessary when processing payments via an external payment service provider such as wallee.

      If there are any changes that affect the PCI conformity of your payment processing via wallee or additional technical requirements, we will inform you here.

    1. PCI Glossary

Term

 

 

AOC

Attestation of Compliance

The AOC is the official PCI SSC form used by merchants and service providers to confirm the results of a PCI DSS assessment as documented in a Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC).
Download the latest AOC
 

CHD

Cardholder Data

The cardholder data consists of at least the full PAN. The cardholder data may also appear in the form of the full PAN and one of the following elements: Cardholder name, expiration date and/or service code. Part of the sensitive authentication data that companies have undertaken to protect in accordance with PCI DSS requirements.
 

PAN

Primary Account Number

Unique payment card number (credit, debit or prepaid cards, etc.) that identifies the issuer and the cardholder's account.
 

PCI DSS

Payment Card Industry Data Security Standard

Standard in which both operational and technical measures are defined to increase security and stability in payment transactions, particularly in the processing of credit card transactions, for all parties involved
Find out more on the PCI website
 

PCI SSC

Payment Card Industry Security Standards Council

The PCI Security Standards Council is an international, open forum for the further development, improvement, archiving, dissemination and implementation of security standards for the protection of account data.
More about the PCI SSC
 

PCI SAQ

Payment Card Industry Self Assessment Questionnaire

Questionnaire to document the results of a company's self-assessment according to the PCI DSS assessment. For merchants who use wallee for payment processing, the simplest version PCI SAQ A is usually sufficient.
Download the latest SAQ A
 

Service Provider

An entity that is not a payment method and is directly involved in the processing, storage or transmission of cardholder data (CHD) and/or sensitive authentication data (SAD) on behalf of another entity. This includes payment gateways, payment service providers (PSP) such as wallee, and independent sales organizations (ISO). It also includes entities that provide services that control or could affect the security of CHD and/or SAD. Examples include managed service providers that provide managed firewalls, IDS and other services, hosting providers and other companies.