PCI compliance
Last updated: June 5, 2024
All merchants that accept payment cards are required to comply with the Payment Card Industry Data Security Standards (PCI DSS).
Checkout Technology Ltd, a company within the Checkout.com group, is certified as a PCI DSS Level 1 Service Provider, which is the highest standard set by the payment card industry.
When accepting payments, you must do so in a PCI-compliant manner. You can simplify your PCI compliance if you:
- integrate with Flow, Hosted Payments Page, Payment Links, Frames, or our Mobile SDKs. With these integration methods, you can accept payments without ever handling card data.
- use Transport Layer Security (TLS) for all payment pages, so that they use HTTPS
- review and validate your PCI compliance once a year – most merchants can do this with a Self-Assessment Questionnaire (SAQ), which is provided by the PCI Security Standards Council
The type of SAQ you need to provide depends on your integration method. If you use:
- Flow, Hosted Payments Page, Payment Links, Frames, or our Mobile SDKs, you need to provide SAQ A
- our Full Card API with your own integration platform, you need to provide SAQ D
- our Full Card API with a third-party service provider, contact your Account Manager
If you are SAQ D PCI compliant and want to process full card payments, contact your Solution Engineer or [email protected].
Information
If you change how you integrate with us, you may need to re-certify your PCI compliance. For example, if you reintegrate from Frames to our Full Card API, you'll have more access to cardholder data, so your requirements may change.
Merchants are organized under four levels of PCI compliance, based on their card transaction count over a 12-month period. Your PCI level and integration method will determine the compliance requirements you must meet.
Level 1 merchants are subject to more stringent requirements than level 2 – 4 merchants. If you reach level 1 (more than 6 million transactions), we will identify this and contact you to make sure you can provide the relevant documentation and stay compliant.
Learn more about PCI compliance levels and key requirements.
Your PCI DSS certification needs to be reviewed and validated once a year. Qualified Security Assessors (QSAs) are independent security individuals and organizations, approved by the PCI Security Standards Council, that validate an entity’s adherence to the PCI DSS. A QSA can help you choose the right SAQ for your business and support you through the process.
We’ve partnered with SecurityMetrics, a QSA company, to help our merchants with PCI compliance. After we approve your application, you'll receive an email explaining how to create your account with SecurityMetrics, if you choose to use them for PCI assistance.
SecurityMetrics is best equipped to answer specific questions about your scope of compliance. For the best way to contact SecurityMetrics, visit their website.
If you are already PCI compliant through another QSA, you can opt out of using SecurityMetrics' services. In that case, you'll need to provide us with valid certification that attests to your compliance.
When you complete your onboarding with us, we'll register you with SecurityMetrics so that you can start the PCI assessment. You'll need to provide us with the contact details of the person responsible for PCI compliance in your organization.
You will then receive an email from SecurityMetrics with instructions on how to sign in to their portal and begin the assessment process. You may also need to complete a regular vulnerability scan, to ensure that your website is secure.
Part of the enrollment process includes answering a brief set of questions that will help SecurityMetrics determine which SAQ you need to complete.
To sign in to the SecurityMetrics portal:
- Navigate to the SecurityMetrics Checkout.com page.
- Select Sign Up and enter the email address associated with your Checkout.com account.
- Verify your email address.
- Accept the Terms of Use.
- Sign in to the portal and complete the questionnaire about your credit card processing.
- Once you've completed the questionnaire, select Activate and Continue.
Note
Data security is extremely important to us. If you believe the security of your integration may have been compromised, or have any questions concerning your PCI obligations, contact us at [email protected].