Payment Gateway Features
Payments basics

PCI-Compliant Payment Gateway

Customers want to keep their money safe and feel confident that it is protected. To this end, many payment systems have even introduced a mandatory requirement for merchants and service providers. PCI compliance is required for companies to meet established security requirements when dealing with online payments. Let us help you understand what PCI compliance is, why your business needs it, and how to choose a PCI-compliant payment gateway.

PCI-compliant payment gateway: definition

Companies that accept payments from customers and process consumers’ personal data must comply with Payment Card Industry Data Security Standard (PCI DSS). PCI-compliant payment processing is a general requirement to ensure the security of payment card holders’ data.

Passing PSI DSS certification is required for any organization whose information systems process, transmit, and store personal data. This standard was developed by the Payment Card Industry Security Standards Council and is generally accepted around the world. The standard can be passed if you confirm compliance with a number of criteria:

  • Strong corporate network protection. Partitioning segments into multiple sites that handle customer data.
  • Use of 128-bit encryption keys.
  • Multiple-factor authentication to gain access to critical parts of the infrastructure.
  • Regularly changing passwords to log on to servers where data is stored to prevent leaks.
  • Systematic testing of the system for vulnerabilities.
  • Presence of specified corporate security policy. Availability of protocols for emergency actions in case of hacking.

International payment systems control PCI compliance. If a company accepts payments without confirming compliance with the standard, it may be fined or disconnected from the service. However, not all of the standard’s requirements apply to the PCI-compliant payment gateways.

Who is subject to PCI compliance?

Obtaining the compliance certificate is a relevant task for any company that wants to do business and accept payments using bank cards. This includes companies from the financial industry, online stores, call centers, retailers, and in general all organizations that are providers of goods and services.

In total, there are two types of businesses that require PCI DSS certification:


These are businesses that accept money from customers’ cards into their accounts. Merchants such as retail stores and e-commerce services fall under this definition. It is worth noting that only those merchants who have their own gateway or are integrated with it and store data on their side need a certificate of compliance. However, it isn’t necessary if they use a payment page from a service provider.

Service providers

These are businesses that provide some kind of service as part of the card transaction process. For example, these may be services that transfer money from the customer’s card or charge money to the client’s card. Service providers include processing centers, PCI DSS-compliant payment gateways, data backup storage facilities, organizations involved in card personalization, etc.

Payment service providers handle all issues related to card data processing, including PCI DSS certification. This ensures that merchants do not have to get involved in all the intricacies of compliance and auditing. The merchants’ task is to choose an intermediary which guarantees the PCI DSS compliance status and regularly updates the compliance certificate.

The software vendor (white-label payment gateway provider) should receive the certificate only if it distributes it on the SaaS model and stores data in its own warehouse. If the vendor sells a license, there is no need to have the certificate. However, the software must be fully compliant with the PCI DSS.

What levels of PCI compliance are there?

The PCI DSS has several levels of compliance, both for merchants and service providers. Providers need to have Level 1 in order to provide services to merchants, which is why it is necessary for each modern PCI DSS-compliant payment gateway. Let’s take a closer look at compliance levels.

Compliance levels for merchants

According to the classification, merchants are divided into four levels of PCI compliance, depending on the number of payment card transactions.

Contact our top experts

to pick products and services that fit your business needs

Schedule a meeting

Level 1

This is the highest level. It is recommended for companies that make more than 6 million payment card transactions per year. Such companies once a year should pass an internal audit with an authorized auditor. Once a quarter they must pass a vulnerability scanning procedure. The certification procedure includes a survey of the company’s information infrastructure, the development of recommendations and regulations required to meet the standard.

Level 2

This level is relevant for businesses with 1 million to 6 million transactions. Annual self-assessment questionnaire, as well as submit an Attestation of Compliance form. Quarterly scanning is recommended at this level.

Level 3

This level is required for companies that carry out at least 20,000 but not more than 1 million transactions a year. For such businesses, an annual self-assessment questionnaire and an attestation form are also required.

Level 4

This is the lowest level for merchants. It is relevant for businesses with fewer than 20,000 transactions a year. Like in the two previous levels, owners have to fill out a self-assessment questionnaire and submit an attestation form every year.

Compliance levels for service providers

Two tiers of service providers are defined, depending on the amount of data they process, store or transmit.

Level 1

This level covers the processing centers, tokenization centers, and companies with more than 300,000 card transactions per year. At this level, service providers such as PCI-compliance payment gateway need an Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA), as well as penetration tests, internal scans, bi-annual network segmentation tests, and an attestation form.

Level 2

It is relevant for companies (except for the processing or tokenization centers) where the number of card transactions is less than 300,000 per year. For instance, PCI-compliant payment processors have to provide an annual Self-Assessment Questionnaire, as well as the same tests as in the previous level.

Consider Boxopay as your reliable PCI-compliance payment gateway solution

The security of Internet payments is a serious and responsible issue in both commercial and reputational aspects. It is worth considering in the first place when building your technological infrastructure with a PCI-compliant payment gateway. And Boxopay will help you with this.

Boxopay is a reliable white-label payment gateway provider for acquirers, PSPs, banks, and large merchants, that establishes connection capabilities with any payment providers and processing centers globally. With Boxopay you can launch and take full control over your payment gateway functionality using a brandable self-hosted software that covers all providers’ and merchants’ business needs.

Advantages of Boxopay’s PCI-compliant payment gateways solution

  • Level 1 PCI DSS compliance;
  • Web portal for merchants and advances providers admin back-office;
  • On-demand integration services with unlimited providers;
  • Ready-made integration with a Visa/Mastercard processing center for acquirers;
  • Strong security for your merchants’ transactions;
  • Efficient risk-management solutions to maintain sustainable business operations and prevent chargebacks;
  • Multiple software delivery models to fit your business needs best.

Contact our experts now for demo, integration, business consulting, licensing, and tech support.

Contact our top experts

to pick products and services that fit your business needs

Schedule a meeting Privacy policy Cookie policy