PCI DSS
When paying online with their credit cards, you want your customers to feel safe. Therefore, the secure transfer of their card data is one of the cornerstones of the online transaction business.
Acknowledging this, the major card schemes (i.e. Visa, MasterCard, American Express) and payment providers (i.e. Bancontact) enforce a worldwide standard set up to protect cardholder data and help businesses process card payments securely. The Payment Card Industry Data Security Standard (PCI DSS) is mandatory for all parties handling card data.
As a merchant, you have the responsibility as a minimum to fill out a self-assessment questionnaire on a yearly basis, proving that you comply to the standard. The length and rigor of the questions and the questionnaire itself depend largely on the way you process payments and choose to integrate our payment systems.
So how can you determine which questionnaire applies to you? The following chapter will help you further understand the impact of the PCI DSS on your business operations.
Find our PCI certificate here.
Our API exposes various POST resources. These POST resources vary greatly in terms of sensitive data being exchanged or not. In some cases, a single resource might even be used with or without sensitive data (i.e. CreatePayment with either card or token property respectively).
However, your required PCI type for any POST request comes down to this question:
How did you process your customers' card number for their initial payment?
The answer to this question defines your required PCI type for any subsequent request linked to the initial transaction.
Have a look at these use cases to understand the impact of PCI compliancy on your everyday transaction processing business:
Use case 1: Process transactions via Server-to-server with card property
| Operation | POST resource | Required PCI type |
|---|---|---|
| Initial payment via Server-to-server with card property |
With sensitive data exchanged |
SAQ D |
| Capture the payment |
No sensitive data exchanged |
SAQ D |
| Refund the payment |
No sensitive data exchanged |
SAQ D |
Use case 2: Process transactions via Hosted Checkout Page
| Operation | POST resource | Required PCI type |
|---|---|---|
| Initial payment via Hosted Checkout Page |
No sensitive data exchanged |
SAQ A |
| Capture the payment |
No sensitive data exchanged |
SAQ A |
| Refund the payment |
No sensitive data exchanged |
SAQ A |
Although both uses cases target the same endpoints (CapturePayment / RefundPayment) for following-up on the initial transaction, the required PCI types differ. Hence, your PCI compliancy requirements for every POST resource are defined by the way you process initial transactions.
This definition of PCI compliancy is also applicable when targeting the same resource in a scenario like this:
Use case 3: Create token for recurring payments
| Operation | POST resource | Required PCI type |
|---|---|---|
| Initial payment and token creation via Server-to-server with card property |
With sensitive data exchanged |
SAQ D |
| Use the token for a recurring payment |
No sensitive data exchanged |
SAQ D |
The way you process initial payments is determined by your integration mode. Consequentially, the integration mode you choose defines your global PCI requirements.