PCI DSS compliance for website

Our company is engaged in the development, support and maintenance of sites of any complexity. From simple one-page sites to large-scale cluster systems built on micro services. Experience of developers is confirmed by certificates from vendors.

8+Years of workmore info 900+Completed projectsmore info 100+In house employeesmore info 19+Partnersmore info

Development and maintenance of all types of websites:

Informational websites or web applications

Business card websites, landing pages, corporate websites, online catalogs, quizzes, promo websites, blogs, news resources, informational portals, forums, aggregators

E-commerce websites or web applications

Online stores, B2B portals, marketplaces, online exchanges, cashback websites, exchanges, dropshipping platforms, product parsers

Business process management web applications

CRM systems, ERP systems, corporate portals, production management systems, information parsers

Electronic service websites or web applications

Classified ads platforms, online schools, online cinemas, website builders, portals for electronic services, video hosting platforms, thematic portals

These are just some of the technical types of websites we work with, and each of them can have its own specific features and functionality, as well as be customized to meet the specific needs and goals of the client.

Offered services

Showing 1 of 1 servicesAll 2065 services

PCI DSS compliance for website

Complex

from 2 weeks to 3 months

FAQ

Our competencies:

Free consultation

Book a free consultation if you have any questions. A dedicated specialist will advise you.

Cost calculation

If you know what exactly you need to develop, or you already have a ready-made technical task.

Development stages

Latest works

Development of a web application for FEEDME
1161
Development of an online store for the company FURNORO
1041
Development of a web application for Enviok
822
CRM development for Chasseurs
847
Website development for SBH Partners
999
Website development for Red Pear
451

Show more works

Ensuring website compliance with PCI DSS requirements

PCI DSS (Payment Card Industry Data Security Standard) is the security standard for organizations processing payment card data. Developed by Visa, Mastercard, Amex and others. Violation leads to fines from payment systems, loss of card acceptance rights, mandatory audit.

Compliance levels

Level	Transaction Volume	Requirements
Level 1	>6M annually	Annual QSA audit + quarterly ASV scanning
Level 2	1–6M annually	Annual SAQ + quarterly ASV scanning
Level 3	20k–1M online	Annual SAQ
Level 4	<20k online	Annual SAQ

SAQ A — minimum requirements for outsourcing

If payment form fully outsourced (Stripe, Cloudpayments, ЮKassa) and card data never touches your server — SAQ A applies with minimal requirements.

<!-- Stripe Elements — payment form on Stripe side -->
<div id="card-element"></div>

<script src="https://js.stripe.com/v3/"></script>
<script>
const stripe = Stripe('pk_live_...');
const elements = stripe.elements();
const card = elements.create('card');
card.mount('#card-element');

const { paymentMethod, error } = await stripe.createPaymentMethod({
    type: 'card',
    card: card,
});
</script>

Requirement 1: Network and firewall

iptables -P INPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -s trusted_ip -j ACCEPT

Requirement 3: Cardholder data protection

If storing card data (PAN):

class CardStorageService
{
    public function storePan(string $pan): array
    {
        return [
            'masked_pan'   => substr($pan, 0, 6) . '******' . substr($pan, -4),
            'last_four'    => substr($pan, -4),
        ];
    }
}

Never store: CVV/CVC, PIN, full magnetic stripe.

Requirement 4: Encryption in transit

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;

Requirement 7-8: Access and authentication

class AdminAuthController extends Controller
{
    public function login(Request $request)
    {
        if (!$this->verifyTotp($request->totp_code, auth()->user())) {
            abort(401, '2FA required for PCI DSS compliance');
        }
    }
}

2FA mandatory for CDE access. Lockout after 6 failed attempts. Session timeout 15 minutes.

Path to compliance for typical online store

1. Switch to Stripe/ЮKassa with iframe → SAQ A
2. Enable HTTPS everywhere, TLS 1.2+
3. Quarterly ASV scanning
4. Fill SAQ A (22 questions)
5. Register SAQ with acquirer

Implementation Timeline

SAQ A: iframe transition + basic setup: 5–10 days
Quarterly ASV scanning: automated process