PCI DSS Compliance
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle credit or debit cards from the major card schemes such as Visa, Mastercard, American Express, Discover, and JCB.
PCI DSS is a mandatory requirement for any business that collects or stores customer card details. There are several levels of compliance, which vary depending on the size and transaction volume of the business (the larger the business, the more stringent the requirements). The standards are updated and revised frequently. If you are not PCI DSS compliant your business could be held responsible for any losses that occur through fraud, and you could also face considerable fines and loss of reputation to your business.
Integration Method and PCI Compliance
Your level of PCI compliance will determine the type of integration method you can use with Paysafe. Refer to the table below for details of the PCI levels that are relevant to typical Paysafe integrations.
Level | Description | Recommended Integration Method |
---|---|---|
SAQ A | Applicable to card-not-present e-commerce merchants where the collection and storage of cardholder details are completely handled by Paysafe. The storage, processing, or transmission of any cardholder data on the merchant’s systems or premises is not permitted. How compliance is certified The merchant must complete a brief Self-Assessment Questionnaire (SAQ) and send it to Paysafe or their acquirer. | Paysafe Checkout, Paysafe.js, or Hosted Payments API Redirect If you wish to create a fully customized payment form while still complying with SAQ A, Paysafe offers the Paysafe Checkout and Paysafe.js SDKs. In these solutions only the sensitive card fields are hosted on Paysafe's servers. In the Hosted Payments solution, the merchant redirects the customer's browser to a payment form housed on the Paysafe platform, which collects and stores the customer's card details. There is no interaction between the merchant's system and the customer's payment details. This is a simple and secure integration method, with limited flexibility and control. The Hosted Payments API provides customers with access to the alternate payment methods supported by Paysafe on this platform. Note that these payment methods are not identical to those supported by the Alternate Payments API. For iOS and Android SDKs, if the merchants use Singe-Use Tokens, PCI Level SAQ-A is expected. |
SAQ A-EP | Applicable to e-commerce merchants who outsource all payment processing to Paysafe and who have a website that does not directly receive cardholder data, but that can impact the security of the payment transaction. The storage, processing, ortransmission of any cardholder data on the merchant’s systems is not permitted. How compliance is certified The merchant must complete a detailed Self-Assessment Questionnaire (SAQ) and Attestation of Compliance (AOC), along with any other requested documentation – such as ASV scan reports – and send it to Paysafe or their acquirer. Paysafe offers a PCI compliance program through selected partners. Click here for more details. | Hosted Payments API Silent Post Merchants can use the Silent Post to handle cards on their website. The merchant’s systems do not handle sensitive card information. However, since card information is sent from the client browser to the Paysafe platform, this integration method requires an additional level of PCI compliance. This integration method provides greater flexibility and control. Merchants can fully customize the payment page displayed to the customer. Merchants can also use the Customer Vault API for customer profile storage and tokenization processing. For iOS and Android SDKs, if the merchants use Singe-Use Tokens + Customer Vault, PCI Level SAQ A-EP is expected. |
SAQ D | This is the highest level of compliance, applicable to e-commerce merchants who collect and store customer card details on their own systems. How compliance is certified Merchants must conduct a detailed assessment of their environment and auditing of their systems. The merchant must complete a comprehensive and detailed Self-Assessment Questionnaire (SAQ) and Attestation of Compliance (AOC), along with any other requested documentation – such as ASV scan reports – and send it to Paysafe or their acquirer. Paysafe offers a PCI compliance program through selected partners. Click here for more details. | Server-to-server POST using the Card Payments API This integration method provides full flexibility and control over the payment process. Merchants can also use the following APIs to support additional functionality:
For iOS and Android SDKs, if the merchants pass the complete PAN information, a higher-level of PCI is expected, i.e., PCI SAQ-D |
- The above is a subset of the available PCI levels, including only those that are relevant to merchants integrating with Paysafe. Other PCI levels may apply. For details please contact Customer Support.
- PCI standards are continually being updated. You can download the relevant Self Assessment Questionnaires (SAQs) and find out more about compliance by visiting the PCI Security Standards Council website: https://www.pcisecuritystandards.org/
PCI DSS Validation
For more information on how to comply with PCI DSS, including the validation requirements and Paysafe's validation service, see the topic on PCI DSS Validation in our Resources and Support section.