This is a post written by Gunther Greven (VP Strategy, PAYMILL) and Stefan Sambol (COO, PAYMILL)

Credit card fraud is an unpleasant but very present phenomenon – particularly in daily e-commerce business. In distance selling situations, card data is transmitted in large numbers via internet connection around the globe and is processed by numerous parties in a complex value chain (including banks, payment processors and/or the merchants themselves). In this chain, data security can only be as good as the weakest link.

Some light is shed on online data handling by a new report from the California Attorney General. California passed a law in 2003, forcing companies and state agencies to inform citizens on security breaches affecting their personal data. The data breach report reveals now that personal data of 2.5 million state citizens was put at risk in 131 disclosed incidents during 2012 and 2011. Almost half of the cases are attributed to failures of companies and institutions to ensure appropriate data handling. The case shows that sensitive customer data is not only put at risk by criminal hackers but to a great extent also by misconduct of businesses and institutions. Both ways can eventually lead to fraud and hurt customers.

PCI-DSS signals trustworthy data-handling to customers

To minimize the likelihood of criminal intrusion and data mishandling, merchants need to establish elaborate security standards. Furthermore, standards are required that are reliable and thereby transparent for customers. The payment card industry adopted this task and created the Payment Card Industry Data Security Standard (PCI-DSS): a code of conduct and a set of rules for parties involved in the processing of credit card data. It is absolutely necessary that all merchants who process data of relevant payment card schemes (like MasterCard, Visa, Maestro, etc.) comply with these rules (otherwise, severe fines can be the consequence).

PCI-DSS guarantees that the latest technology is used for data storage and credit card data transmission (encryption with tokenization, firewalls, anti-virus software). It sets standards for data access and employee conduct. In order to ensure compliance, self-assessments and audits for larger entities is obligatory. Such measures not only protect the data of individuals around the globe, avoid misuse of personal information and credit card fraud – they also secure the consumers’ trust in distance selling, card payments and are therefore in the interest of each and every online merchant.

Use PAYMILL and avoid regulatory hassle 

Despite the numerous virtues of PCI-DSS standard, compliance is certainly not easy to establish. If payment card data is to be processed by a merchant – time and investments into the infrastructure, along with internal processes and people are usually required.

A more elegant solution is provided by PAYMILL. Using the PAYMILL-API means credit card data is not processed in the merchant’s own systems, even though it looks like it from the end customer’s point of view.

Instead, PAYMILL and our PCI-DSS certified partners provide compliant transaction handling – no worries, no hassle.

Technically, PAYMILL exchanges sensitive credit card data by a “token” that retains many of the required properties of the original data, but removes all elements that carry risk. The merchant can store this token as a unique transaction-identifier in its systems while card numbers etc. remain in a safe environment – no risk for the merchant, highest security for the customer.

Still, every merchant needs to be registered. Despite this convenient solution, every merchant needs to register with PCI-DSS, filling out a self-assessment form and stating that there is no involvement in payment card data handling. This is necessary to ensure the system’s overall integrity and reliability.

Therefore, all PAYMILL merchants are contacted by a PCI-authorized partner after they started live payment processing. The following steps need to be conducted:

  1. Registration with the PCI DSS Platform
  2. Selection of the applicable questionnaire
  3. Completion of the questionnaire
  4. Questionnaire must be completed once a year. A new registration, however, is not required.

This process usually does not take much time and certainly no money. If you completed the PCI-DSS process, you also have the chance to download “PCI Approved” certificate to display on your website and show your compliance with the card organizations. This helps build trust, which is very important for your customers.

To sum it all up, registration at our PCI partners and ensuring compliance increases security, customers’ trust in your website and therefore higher sales.

We’ve also developed a walk-through guide to give more guidance to merchants – and if you get stuck, we’re of course here for you.

For more information, please follow the link to download your PCI Security Guide

And in case you have any questions with regard to PCI-DSS, feel free to contact us: or

Image by Images_of_Money

Guest Blogger

This is a guest post written by one of our contributors.