The Payment Card Industry (PCI) Data Security Standards (DSS) is a global information security standard designed to prevent fraud through increased control of credit card data. Organizations must follow PCI DSS standards if they accept payment cards from the five major credit card brands—Visa, MasterCard, American Express, Discover, and the Japan Credit Bureau (JCB). Compliance with PCI DSS is required for any organization that stores, processes, or transmits payment and cardholder data.
All card data (such as card numbers and expiration dates) should be stored separately from other property data, on a different server. This means that properties must have more than one server to be fully compliant, without exception. The complete set of specifications can be found on the PCI Council’s website.
How we're compliant
The PCI DSS designates four levels of compliance based on transaction volume. Mews Operations uses Microsoft Azure infrastructure, which is certified as compliant under PCI DSS version 3.2 at Service Provider Level 1 (the highest volume of transactions—more than 6 million a year).
Similarly, Mews Payments does not need to have the PCI compliant certification because our payment gateway provider—Stripe—has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1.
Learn more about PCI compliance at Stripe.
Individual clients are not usually fined for PCI breaches as payment processing (e.g. Adyen, Stripe, SIX Payments, etc.) and card storage services (i.e. on-premise or cloud-based databases where cards are stored) are often outsourced. However, if a payment processing or card storage service that you are using is breached, you can expect the costs of such a breach to be passed down in the form of higher fees over time.
Furthermore, under the General Data Protection Regulation (GDPR), on-premise solutions (such as storing all data on one server) are considered a data breach, so any clients using an on-premise solution could be fined for both a data breach and a PCI breach.