PCI compliance requirements for merchants based on the integration method.

What is PCI?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. Essentially this is applicable for any merchant that has a Merchant ID (MID). [1]

The SAQ (Self-Assessment Questionnaire) includes a series of yes-or-no questions about your security practices. There are four types of SAQ- A, B, C and D. According to your sensitive data handling methods, you will be categorized under one of the same.

For merchants integrating with ChargeBee via the hosted pages, a self-declaration in the form of SAQ (Self-Assessment Questionnaire) is sufficient criteria to stay PCI compliant.

We strongly recommend that you go through the practices outlined in SAQ-A and complete the questionnaire.

While filling the SAQ-A, you should state that you will not be storing the card information and the information would be handled by a third party who is PCI compliant.

The mode of submission of the PCI compliance questionnaire depends on your payment gateway provider. Please check with them to know how they require you to validate your PCI DSS compliance status.

Click here, to read more on PCI compliance and to download the latest SAQ-A document

Let us take a look at the level of severity involved based on the integration mode.

•  Hosted Payment Pages with no API Integration:

If you will be using ChargeBee’s hosted pages for integration, it means that all the sensitive credit card information will be passed directly to the server of ChargeBee and will not be touching your server.

Although you are not collecting any card information directly and the liability lies with us, it is still recommended to have the SAQ-A questionnaire filled out.

•  Hosted Payment Pages with minimal API Integration (Embedded hosted pages):

This integration path allows you to embed the hosted page as an iFrame into your website; the information entered within the embedded iFrame will be directly submitted to the ChargeBee server and will not be touching your server. It is highly recommended that you use a HTTPS page with an SSL certificate installed to embed the iFrame.

In this method of integration, the PCI liability lies mostly with ChargeBee, but it is still highly recommended for you to be PCI self-certified.

•  Complete API Integration:

This gives you the flexibility to provide your customers with an in-app payment experience. However, you are responsible to ensure you do not store or log any of the credit card information on your site / app at any point of time. You will be submitting the credit card information via the ChargeBee API.

It is mandatory that you use a HTTPS page with an SSL certificate to collect all the sensitive credit card information and also be PCI self-certified.

For any questions or clarifications please write to support@chargebee.com.


for Hosted Payment Pages with no API Integration:

'you are not collecting any card information directly and the liability lies with us'

where is this stated on the checkout page when the user submits their card details? As merchants, how do we know this is guaranteed?

PCI liability and compliance is between You, the merchant and ChargeBee. It may not be required to indicate ChargeBee's compliance level to the merchant's end customers on the hosted checkout page.

If you do need to provide additional assurance to your customers that they're using a secure payment form, you could add a secure image by customizing the hosted pages. You can email us at support@chargebee.com for this.

Attached is a sample pre-filled SAQ-A document for ACME, Inc.

If you are viewing via MS Word, make sure you read it in print layout mode to see our comments.

Where is your PCI document? And when's it expire?

Hey Mike!

The information is present in Chargebee's security page right at the bottom. Here are the links. https://www.chargebee.com/security/pci/ & https://www.chargebee.com/static/resources/COC_Chargebee_2015-2016.pdf.

1 person likes this

Any chance you could provide a sample sample pre-filled SAQ-A document for ACME, Inc. with the latest SAQ-A document? it has been changed since.

Hi Eoin

I'll check this with my Security team and get back to you.

We're working on this and should be able to update you by early next week.

Hi Eoin

I've converted your request to a ticket and I'll update you on it.

So for, the following integration method:

Hosted Payment Pages with minimal API Integration (Embedded hosted pages):

What would be the official SAQ level?

Hi Damien

As the checkout pages are still hosted by Chargebee, you'll only need to submit a Self-Assessment Questionnaire (SAQ - A) if you are using our embedded hosted pages.

Hi there, who should we submit SAQ-A to? Is the acquirer in this case Chargebee, or is it our payment gateway, or is it actually the bank that receives the funds being processed?

Hi Cheriel

The SAQ-A form is not requested by Chargebee but might be requested by the payment gateway as an assurance that you'd be using a PCI Compliant service. You need to submit the form to the gateway and would need to reach out to them in case you need assistance in filling it.

Hi Lakshmi,

Are you sure that SAQ-A is enough for "Hosted Payment Pages with minimal API Integration (Embedded hosted pages)"? 

SAQ-A states this requirement: "All elements of all payment pages delivered to the consumer’s browser originate only and directly from a PCI DSS validated third-party service provider(s)."

With an iframe, most of the page would not come from Chargebee. So, it all depends whether by "payment pages" they mean the actual page displayed to the user or just the iframe contents. I would lean towards the former.

Please clarify based on your experience.

Login or Signup to post a comment