Security Requirements
Meeting PCI standards to prevent theft of cardholder data and improve the security in payment card transactions.
Major credit card companies, like Visa and MasterCard, have made it a common cause to prevent card fraud and misuse of cardholder data.
This website provides an easy and effective guide for vendors to develop secure solutions that meet the needs of the merchants’ business and help fulfilling the Visa and MasterCard security requirements. Products that meet the security requirements are listed under validated products. The requirements that these products have met are found under registration.
On this page you can find out more about the mandatory security requirements for merchants who are accepting payment cards in their stores, restaurants, hotels and vendors who deliver products for card payments to merchants.
For more information visit the PCI Security Standards Council:
Mandatory Requirements
These requirements apply to all entities that store, process or transmit cardholder data.
Chip and PIN
The terminal must support chip and PIN.
PCI requirements
The easiest way to comply with the PCI requirements is to use validated products (card readers, terminals, electronic cash registers, etc.) that do not handle or cannot release cardholder data, for example card number, name of the cardholder, expiry date, and security codes (CVV/CVC), to the merchant. You can find all approved products on the page validated products.
Easy Checklist for Different Payment Solutions
For terminals and Electronic Cash Registers (ECR)
- Use terminals that cannot release cardholder data
- Use ECRs that do not handle any cardholder data
- Alternatively, use global solutions listed on the PCI Security Standard Council’s webpage
For e-commerce and online payments
- Use a hosted solution, i.e. a solution where the cardholder is redirected to a certified payment service provider and the merchant does not handle any cardholder data.
For unattended solutions
- Use terminal components that cannot release cardholder data
- Use UPT software that does not handle any cardholder data
- Use a secure exterior/shield
For self-service solutions
- For self-service or self-checkout points where customers scan their goods under the surveillance of a cashier, there are special requirements listed in the Self Checkout Point document
For terminals, encrypting card readers and encrypting PIN pads
- Use terminals, encrypting card readers and encrypting PIN pads that have been validated to fulfil the Security Design requirements
Best Practices
Additional best practice documents
PNC SAC Best Practices for fulfilling the brand requirements for Self-Checkout Points.
Guidance for secure card acceptance at hotels and similar businesses
Mobile Solutions
- PCI Security Standards Council Documents Library.
- Mastercard best practices for mobile point of sale acceptance
- Visa Europe: Implementing mobile point-of-sale