In the dynamic world of online transactions, safeguarding payment data is non-negotiable. Payment Card Industry Data Security Standard (PCI DSS) is a pivotal framework ensuring the security of sensitive information and preventing potential data breaches. Recently, the PCI Security Standards Council rolled out version 4.0 of the PCI DSS, introducing significant updates to the compliance landscape.
Every merchant must safeguard payment data
Although your payment gateway is already PCI DSS compliant (We hold PCI DSS level 1 compliance – the highest level), you as a merchant or service provider have to ensure that your systems are also secure to keep cardholders data safe. Eligible merchants and service providers have to conduct PCI DSS self-assessment based on the self-assessment questionnaire. There are several versions of Self-Assessment Questionnaires (SAQ) and every organization has to determine which SAQ applies to their environment the best.
The definitions of different scenarios and additional descriptions are described in the document “SAQ Instructions and Guidelines”. Most often regular e-commerce merchants have to fill in either SAQ-A or SAQ A-EP.
SAQ – A: Card-not-present merchants (e-commerce or mail/telephone-order) that completely outsource all account data functions to PCI DSS validated and compliant third parties. No electronic storage, processing, or transmission of account data on their systems or premises.
SAQ A-EP: E-commerce merchants that partially outsource payment processing to PCI DSS validated and compliant third parties, and with a website(s) that does not itself receive account data but which does affect the security of the payment transaction and/or the integrity of the page that accepts the customer’s account data. No electronic storage, processing, or transmission of account data on the merchant’s systems or premises.
All the documentation (including SAQ forms) can be found in the PCI DSS Self-Assessment Questionnaire Library.
Our "Payment Elements" integration is specifically designed to meet the requirements of SAQ A
This is achieved because the entire payment process is fully controlled and hosted by us.
This qualifies for SAQ A because:
The payment form is delivered and hosted entirely from our servers. The merchant’s website only embeds and displays this hosted form and has no control over it
The merchant has no access to or control over the payment form’s functionality or cardholder data handling. The merchant may apply limited CSS styling for visual customization but cannot modify or influence the underlying code or data fields used to capture or process cardholder information
Cardholder data is transmitted directly from the customer's browser to our PCI DSS–compliant servers and never passes through the merchant’s systems
How to Qualify for SAQ A with LHV
Our solutions are designed to make merchants eligible for SAQ A, the simplest PCI DSS validation type for e-commerce. This applies to our full range of integrations, including Open Banking, Credit Card payments, and solutions using our Payment Elements plugin.
For the vast majority of our integrations, merchants redirect their clients to a payment page fully hosted and secured by LHV. This ensures that sensitive cardholder data never touches the merchant's own systems.
Our SAQ A eligible solutions include:
Payment Initiation: Merchants can offer payment initiation either by redirecting the customer to LHV's payment page or by using our secure plugin on their own site, which still isolates the payment process from their environment
Fully Hosted Plugins: Our Payment Links and Credit Card plugins are designed as fully hosted solutions
API-based Redirect: In a typical API flow, the merchant places a "Pay" button on their site, which redirects the client to the LHV-hosted payment page to select a payment method and complete the transaction
In all these scenarios, LHV fully manages the payment page, including all CSS and JavaScript. This means none of our merchants using these methods receive or process cardholder data, significantly reducing their PCI DSS scope.
❗Important Exception: SAQ A-EP
However, if you are a merchant using our SDK(s), your integration falls under SAQ A-EP. This is because the SDK allows you to customize the payment experience, for example, by overriding the theme's CSS. Since your website delivers the payment form to the customer - even though the data is sent directly to LHV - your website itself falls within the scope of PCI DSS, requiring the more comprehensive SAQ A-EP validation.
PCI DSS v4 SAQ updates
PCI DSS v4.0 standard standing from 1st April 2024.
For more information visit the PCI DSS v4 Resource Hub and PCI DSS Blog.