At LHV, we view the security of your e-shop and customer data as a vital partnership. While we provide a fully compliant and secure payment processing environment, the overall security of your website and your adherence to industry standards is a shared responsibility.
This guide will help you understand your specific obligations regarding PCI DSS and provide actionable best practices to protect your business.
Your PCI DSS Responsibility Depends on Your Integration
To put it simply, your level of responsibility under the Payment Card Industry Data Security Standard (PCI DSS) is determined by how you handle cardholder data.
Scenario A: You Use LHV's Hosted Payment Page
If your customers are redirected to LHV’s secure, hosted payment page to enter their card information, you have chosen the most secure and straightforward integration method. In this case, sensitive card data never passes through your systems.
Your responsibilities are to:
Confirm that all payment processing is fully outsourced to LHV
Ensure you do not store, process, or transmit any cardholder data on your own systems
Complete the SAQ A annually. This is the shortest self-assessment questionnaire, designed for merchants who have fully outsourced their payment processing
Scenario B: You Use a Direct API Integration
If you collect payment details directly on your website and send them to LHV via an API, you have a much greater responsibility to protect that data as it passes through your systems.
Your responsibilities include:
Ensuring your systems never store sensitive authentication data (e.g., the CVV code) after authorization
Undergoing more stringent validation, which includes:
Completing a more detailed self-assessment questionnaire, such as the SAQ D
Arranging for regular external vulnerability scans by an Approved Scanning Vendor (ASV)
Potentially conducting periodic penetration tests.
Working with developers who have proven experience in building PCI DSS compliant environments
The Shared Responsibility Model
Security is a team effort. The table below clarifies the division of responsibilities between you and LHV.
LHV is Responsible For | You (The Merchant) are Responsible For |
1. The security and PCI DSS compliance of our payment processing systems and hosted payment page | 1. The overall security of your website, servers, and hosting environment |
2. Securely handling all cardholder data after it reaches our certified environment | 2. Ensuring your systems and processes are compliant with the PCI DSS requirements that apply to your integration type |
3. Providing you with secure and compliant tools for payment integration | 3. Correctly and honestly completing your required Self-Assessment Questionnaire (SAQ) each year |
4. Protecting all data stored on LHV’s systems | 4. Keeping your e-commerce software, plugins, and all other systems fully updated with security patches |
Your E-Shop Security Checklist
Beyond PCI DSS, the general health of your website is critical. Use this checklist as a starting point for regular security maintenance.
Keep Your Software Updated: Out-of-date software is the leading cause of security breaches. Regularly update your e-commerce platform (e.g., WooCommerce, Magento), themes, and all plugins
Enforce Strong Passwords: Use complex and unique passwords for all administrative accounts. Enable Two-Factor Authentication (2FA) wherever possible
Use HTTPS: Ensure your site uses a valid SSL certificate to encrypt data transmitted between your customers and your server
Protect All Customer Data: Remember that you are also responsible for protecting all personal data (names, addresses, emails) in accordance with GDPR
Working With Third-Party Developers
Many merchants hire external developers or agencies to build and maintain their sites. It is your responsibility to ensure they follow security best practices.
Key questions to ask your developer:
Do you have experience building e-commerce solutions that are compliant with PCI DSS?
What specific steps will you take to ensure that no sensitive cardholder data is ever stored on my website or server?
What is your process for applying security updates and patches to the platform and its plugins?
By understanding your role and taking these proactive steps, you help create a safer digital commerce environment for everyone.