The Payment Card Industry (PCI) Data Security Standards (DSS) is a global information security standard designed to prevent fraud through increased control of credit card data. Organizations must follow PCI DSS standards if they accept payment cards from the five major credit card brands, i.e., Visa, MasterCard, American Express, Discover, and the Japan Credit Bureau (JCB). Organizations that store, process, or transmit payment and cardholder data require PCI DSS compliance. 

In this article you can learn about:

• Card data storage
• Mews PCI DSS compliance
• Information on PCI breaches

Card storage

You should store all card data, such as card numbers and expiration dates separately from other property data, on a different server. This means that properties must have more than one server to be fully compliant, without exception. You can find the complete set of specifications on the PCI Council’s website.

Mews no longer allows to enter cardholder data into unsecured fields. The system will automatically delete any data stored in this manner prior to April 11. This includes card numbers, expiration dates, and CVC numbers. From this date, you must securely store all cards and remain PCI compliant.

You can learn more about adding a new payment card securely here.

Note: Mews doesn't store or have access to the full card number. For security reasons, we only store the first six and last four digits of the card.

 

Mews PCI DSS compliance

The PCI DSS designates four levels of compliance based on transaction volume. Mews Operations uses Microsoft Azure infrastructure, which is certified as compliant under PCI DSS version 4.0 at Service Provider Level 1, with the highest volume of transactions; more than 6 million a year. 

Similarly, Mews Payments does not need to have the PCI compliant certification because the Mews payment gateway provider, Stripe is audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1. You can learn more about PCI compliance at Stripe here.

The card holder information is input through a secure iframe in the Mews application. You can find all other related information in the Security section and in the Certifications section here.  

 

Information on PCI breaches

Individual clients are not usually fined for PCI breaches as payment processing, for example Adyen, Stripe, SIX Payments, etc. and card storage services i.e. on-premise or cloud-based databases where cards are stored, are often outsourced. However, if a payment processing or card storage service that you are using is breached, you can expect the costs of such a breach to be passed down in the form of higher fees over time. 

Furthermore, the General Data Protection Regulation (GDPR) considers on-premise solutions such as storing all data on one server a data breach. So any clients using an on-premise solution could be fined for both a data breach and a PCI breach.

You can learn more about PSD2 compliance here.