PCI compliance requirements for merchants based on the integration method.
Bhargavi
started a topic
about 5 years ago
What is PCI?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. Essentially this is applicable for any merchant that has a Merchant ID (MID). [1]
The SAQ (Self-Assessment Questionnaire) includes a series of yes-or-no questions about your security practices. There are four types of SAQ- A, B, C and D. According to your sensitive data handling methods, you will be categorized under one of the same.
For merchants integrating with ChargeBee via the hosted pages, a self-declaration in the form of SAQ (Self-Assessment Questionnaire) is sufficient criteria to stay PCI compliant.
We strongly recommend that you go through the practices outlined in SAQ-A and complete the questionnaire.
While filling the SAQ-A, you should state that you will not be storing the card information and the information would be handled by a third party who is PCI compliant.
The mode of submission of the PCI compliance questionnaire depends on your payment gateway provider. Please check with them to know how they require you to validate your PCI DSS compliance status.
Let us take a look at the level of severity involved based on the integration mode.
• Hosted Payment Pages with no API Integration:
If you will be using ChargeBee’s hosted pages for integration, it means that all the sensitive credit card information will be passed directly to the server of ChargeBee and will not be touching your server.
Although you are not collecting any card information directly and the liability lies with us, it is still recommended to have the SAQ-A questionnaire filled out.
• Hosted Payment Pages with minimal API Integration (Embedded hosted pages):
This integration path allows you to embed the hosted page as an iFrame into your website; the information entered within the embedded iFrame will be directly submitted to the ChargeBee server and will not be touching your server. It is highly recommended that you use a HTTPS page with an SSL certificate installed to embed the iFrame.
In this method of integration, the PCI liability lies mostly with ChargeBee, but it is still highly recommended for you to be PCI self-certified.
• Complete API Integration:
This gives you the flexibility to provide your customers with an in-app payment experience. However, you are responsible to ensure you do not store or log any of the credit card information on your site / app at any point of time. You will be submitting the credit card information via the ChargeBee API.
It is mandatory that you use a HTTPS page with an SSL certificate to collect all the sensitive credit card information and also be PCI self-certified.
'you are not collecting any card information directly and the liability lies with us'
where is this stated on the checkout page when the user submits their card details? As merchants, how do we know this is guaranteed?
Joe Daniel
said
over 3 years ago
PCI liability and compliance is between You, the merchant and ChargeBee. It may not be required to indicate ChargeBee's compliance level to the merchant's end customers on the hosted checkout page.
If you do need to provide additional assurance to your customers that they're using a secure payment form, you could add a secure image by customizing the hosted pages. You can email us at support@chargebee.com for this.
Joe Daniel
said
about 3 years ago
Attached is a sample pre-filled SAQ-A document for ACME, Inc.
If you are viewing via MS Word, make sure you read it in print layout mode to see our comments.
Any chance you could provide a sample sample pre-filled SAQ-A document for ACME, Inc. with the latest SAQ-A document? it has been changed since.
Meena
said
about 1 year ago
Hi Eoin
I'll check this with my Security team and get back to you.
Meena
said
12 months ago
We're working on this and should be able to update you by early next week.
Meena
said
12 months ago
Hi Eoin
I've converted your request to a ticket and I'll update you on it.
D
Damien
said
6 months ago
So for, the following integration method:
Hosted Payment Pages with minimal API Integration (Embedded hosted pages):
What would be the official SAQ level?
Lakshmi Narayanan G
said
6 months ago
Hi Damien
As the checkout pages are still hosted by Chargebee, you'll only need to submit a Self-Assessment Questionnaire (SAQ - A) if you are using our embedded hosted pages.
C
Cheriel Neo
said
2 days ago
Hi there, who should we submit SAQ-A to? Is the acquirer in this case Chargebee, or is it our payment gateway, or is it actually the bank that receives the funds being processed?
Meena
said
1 day ago
Hi Cheriel
The SAQ-A form is not requested by Chargebee but might be requested by the payment gateway as an assurance that you'd be using a PCI Compliant service. You need to submit the form to the gateway and would need to reach out to them in case you need assistance in filling it.
Bhargavi
What is PCI?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. Essentially this is applicable for any merchant that has a Merchant ID (MID). [1]
The SAQ (Self-Assessment Questionnaire) includes a series of yes-or-no questions about your security practices. There are four types of SAQ- A, B, C and D. According to your sensitive data handling methods, you will be categorized under one of the same.
For merchants integrating with ChargeBee via the hosted pages, a self-declaration in the form of SAQ (Self-Assessment Questionnaire) is sufficient criteria to stay PCI compliant.
We strongly recommend that you go through the practices outlined in SAQ-A and complete the questionnaire.
While filling the SAQ-A, you should state that you will not be storing the card information and the information would be handled by a third party who is PCI compliant.
The mode of submission of the PCI compliance questionnaire depends on your payment gateway provider. Please check with them to know how they require you to validate your PCI DSS compliance status.
Click here, to read more on PCI compliance and to download the latest SAQ-A document.
Let us take a look at the level of severity involved based on the integration mode.
• Hosted Payment Pages with no API Integration:
If you will be using ChargeBee’s hosted pages for integration, it means that all the sensitive credit card information will be passed directly to the server of ChargeBee and will not be touching your server.
Although you are not collecting any card information directly and the liability lies with us, it is still recommended to have the SAQ-A questionnaire filled out.
• Hosted Payment Pages with minimal API Integration (Embedded hosted pages):
This integration path allows you to embed the hosted page as an iFrame into your website; the information entered within the embedded iFrame will be directly submitted to the ChargeBee server and will not be touching your server. It is highly recommended that you use a HTTPS page with an SSL certificate installed to embed the iFrame.
In this method of integration, the PCI liability lies mostly with ChargeBee, but it is still highly recommended for you to be PCI self-certified.
• Complete API Integration:
This gives you the flexibility to provide your customers with an in-app payment experience. However, you are responsible to ensure you do not store or log any of the credit card information on your site / app at any point of time. You will be submitting the credit card information via the ChargeBee API.
It is mandatory that you use a HTTPS page with an SSL certificate to collect all the sensitive credit card information and also be PCI self-certified.
For any questions or clarifications please write to support@chargebee.com.
[1]http://www.pcicomplianceguide.org/pcifaqs.php
Hey Mike!
The information is present in Chargebee's security page right at the bottom. Here are the links. https://www.chargebee.com/security/pci/ & https://www.chargebee.com/static/resources/COC_Chargebee_2015-2016.pdf.
- Oldest First
- Popular
- Newest First
Sorted by Oldest FirstMelissa Lee
for Hosted Payment Pages with no API Integration:
'you are not collecting any card information directly and the liability lies with us'
where is this stated on the checkout page when the user submits their card details? As merchants, how do we know this is guaranteed?
Joe Daniel
PCI liability and compliance is between You, the merchant and ChargeBee. It may not be required to indicate ChargeBee's compliance level to the merchant's end customers on the hosted checkout page.
If you do need to provide additional assurance to your customers that they're using a secure payment form, you could add a secure image by customizing the hosted pages. You can email us at support@chargebee.com for this.
Joe Daniel
Attached is a sample pre-filled SAQ-A document for ACME, Inc.
If you are viewing via MS Word, make sure you read it in print layout mode to see our comments.
Mike
Charanya
Hey Mike!
The information is present in Chargebee's security page right at the bottom. Here are the links. https://www.chargebee.com/security/pci/ & https://www.chargebee.com/static/resources/COC_Chargebee_2015-2016.pdf.
1 person likes this
Eoin Wren
Any chance you could provide a sample sample pre-filled SAQ-A document for ACME, Inc. with the latest SAQ-A document? it has been changed since.
Meena
Hi Eoin
I'll check this with my Security team and get back to you.
Meena
We're working on this and should be able to update you by early next week.
Meena
Hi Eoin
I've converted your request to a ticket and I'll update you on it.
Damien
So for, the following integration method:
Hosted Payment Pages with minimal API Integration (Embedded hosted pages):
What would be the official SAQ level?
Lakshmi Narayanan G
Hi Damien
As the checkout pages are still hosted by Chargebee, you'll only need to submit a Self-Assessment Questionnaire (SAQ - A) if you are using our embedded hosted pages.
Cheriel Neo
Hi there, who should we submit SAQ-A to? Is the acquirer in this case Chargebee, or is it our payment gateway, or is it actually the bank that receives the funds being processed?
Meena
Hi Cheriel
The SAQ-A form is not requested by Chargebee but might be requested by the payment gateway as an assurance that you'd be using a PCI Compliant service. You need to submit the form to the gateway and would need to reach out to them in case you need assistance in filling it.
-
EU VAT Support?
-
How do I accept check or bank transfer payments?
-
Can a customer change from one plan to another?
-
How is Chargebee different from a payment gateway?
-
What time zone does ChargeBee use to record transactions?
-
How does ChargeBee handle changes in quantity in the middle of a billing period?
-
How to cancel or void an invoice once it is generated in ChargeBee?
-
How to test webhooks locally during the development phase?
-
Payment gateway options for Indian companies
-
How to create subscriptions to pay by invoice, credit card and other offline methods (paypal, wire transfer, bank transfer).
See all 173 topics