PCI Compliance

A note on PCI Compliance for merchants

Any entity engaged in the processing, transmission, or storage of card data is obligated to adhere to the Payment Card Industry Data Security Standards (PCI DSS). PayEngine has undergone a comprehensive evaluation conducted by an independent PCI Qualified Security Assessor (QSA) and has obtained certification as a PCI Level 1 Service Provider. This esteemed certification represents the highest level of stringency achievable within the realm of payment services.

When it comes to processing payments, it's crucial for merchants to ensure PCI compliance. The easiest way to achieve PCI compliance is by completely avoiding any interaction with card data. With PayEngine, we simplify this process by safeguarding the consumer's card information. By utilizing our suggested payment integrations, partners can enable their merchants to securely gather payment details, which are then directly transmitted to PayEngine without traversing the merchants' servers. This approach streamlines PCI compliance efforts for merchants.

To be more specific, if the partner is using PayEngine's Card Forms or SecureFields JS to enable their merchants to gather card details from consumers in card-not-present environment, the merchants qualify for the easiest method of PCI validation: SAQ A. To help with compliance efforts, PayEngine generates a SAQ A for the merchant, which can be requested from PayEngine's customer support specialist, if required. This simplicity is achieved because PayEngine's technology securely hosts all form inputs that contain card data within an iframe served from PayEngine's domain. Therefore, merchants' servers never come into contact with consumers' card information.

If other integration methods are being used, proper PCI validation may require other questionnaires or methods and our customer support specialists are always happy to help assess the specific use cases and offer guidance.

Note: If the merchant's annual transaction volume exceeds 6 million transactions with Visa or MasterCard, or 2.5 million transactions with American Express, or if the merchant is classified as a Level 1 provider by any of the card networks, then the merchant is not eligible to utilize a SAQ to demonstrate PCI compliance. In such cases, the payment brands require them to complete a Report on Compliance (RoC) on an annual basis to validate their PCI compliance.

Last updated