In the dynamic world of online transactions, safeguarding payment data is non-negotiable. Payment Card Industry Data Security Standard (PCI DSS) is a pivotal framework ensuring the security of sensitive information and preventing potential data breaches. Recently, the PCI Security Standards Council rolled out version 4.0 of the PCI DSS, introducing significant updates to the compliance landscape.
Every merchant must safeguard payment data
Although your payment gateway is already PCI DSS compliant (We hold PCI DSS level 1 compliance – the highest level), you as a merchant or service provider have to ensure that your systems are also secure to keep cardholders data safe. Eligible merchants and service providers have to conduct PCI DSS self-assessment based on the self-assessment questionnaire. There are several versions of Self-Assessment Questionnaires (SAQ) and every organization has to determine which SAQ applies to their environment the best.
The definitions of different scenarios and additional descriptions are described in the document “SAQ Instructions and Guidelines”. Most often regular e-commerce merchants have to fill in either SAQ-A or SAQ A-EP.
SAQ – A: Card-not-present merchants (e-commerce or mail/telephone-order) that completely outsource all account data functions to PCI DSS validated and compliant third parties. No electronic storage, processing, or transmission of account data on their systems or premises.
SAQ A-EP: E-commerce merchants that partially outsource payment processing to PCI DSS validated and compliant third parties, and with a website(s) that does not itself receive account data but which does affect the security of the payment transaction and/or the integrity of the page that accepts the customer’s account data. No electronic storage, processing, or transmission of account data on the merchant’s systems or premises.
All the documentation (including SAQ forms) can be found in the PCI DSS Self-Assessment Questionnaire Library.
Our "Payment Elements" integration is specifically designed to meet the requirements of SAQ A
This is achieved because the entire payment process is fully controlled and hosted by us.
This qualifies for SAQ A because:
The payment form is delivered and hosted entirely from our servers. The merchant’s website only embeds and displays this hosted form and has no control over it
The merchant has no access to or control over the payment form’s functionality or cardholder data handling. The merchant may apply limited CSS styling for visual customization but cannot modify or influence the underlying code or data fields used to capture or process cardholder information
Cardholder data is transmitted directly from the customer's browser to our PCI DSS–compliant servers and never passes through the merchant’s systems
PCI DSS v4 SAQ updates
PCI DSS v4.0 is replacing the previous version, PCI DSS v3.2.1 from 1st April 2024. The SAQ’s have been updated to reflect version 4.0 of the PCI DSS. This update introduces additional requirements across most SAQs to bolster data security measures.
For more information visit the PCI DSS v4 Resource Hub and PCI DSS Blog.