PCI compliance requirements for merchants based on the integration method.

What is PCI?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. Essentially this is applicable for any merchant that has a Merchant ID (MID). [1]

The SAQ (Self-Assessment Questionnaire) includes a series of yes-or-no questions about your security practices. There are four types of SAQ- A, B, C and D. According to your sensitive data handling methods, you will be categorized under one of the same.

For merchants integrating with ChargeBee via the hosted pages, a self-declaration in the form of SAQ (Self-Assessment Questionnaire) is sufficient criteria to stay PCI compliant.

We strongly recommend that you go through the practices outlined in SAQ-A and complete the questionnaire.

While filling the SAQ-A, you should state that you will not be storing the card information and the information would be handled by a third party who is PCI compliant.

The mode of submission of the PCI compliance questionnaire depends on your payment gateway provider. Please check with them to know how they require you to validate your PCI DSS compliance status.

Click here, to read more on PCI compliance and to download the latest SAQ-A document

Let us take a look at the level of severity involved based on the integration mode.

•  Hosted Payment Pages with no API Integration:

If you will be using ChargeBee’s hosted pages for integration, it means that all the sensitive credit card information will be passed directly to the server of ChargeBee and will not be touching your server.

Although you are not collecting any card information directly and the liability lies with us, it is still recommended to have the SAQ-A questionnaire filled out.

•  Hosted Payment Pages with minimal API Integration (Embedded hosted pages):

This integration path allows you to embed the hosted page as an iFrame into your website; the information entered within the embedded iFrame will be directly submitted to the ChargeBee server and will not be touching your server. It is highly recommended that you use a HTTPS page with an SSL certificate installed to embed the iFrame.

In this method of integration, the PCI liability lies mostly with ChargeBee, but it is still highly recommended for you to be PCI self-certified.

•  Complete API Integration:

This gives you the flexibility to provide your customers with an in-app payment experience. However, you are responsible to ensure you do not store or log any of the credit card information on your site / app at any point of time. You will be submitting the credit card information via the ChargeBee API.

It is mandatory that you use a HTTPS page with an SSL certificate to collect all the sensitive credit card information and also be PCI self-certified.

For any questions or clarifications please write to support@chargebee.com.


Hello Alessandro, 

Thank you for writing in, I'll help clarify your question. 

As a merchant, when you are collecting Payment Information over the internet, you are required to adhere to the PCI regulations. The PCI regulations will apply to the page where the payment details are being captured. If you are using your own form you will need to ensure that your pages are compliant with the regulation. Or if you are using a service like Chargebee, we (or third parties like Chargebee) understand the hassle behind this and provide a PCI compliant page which you can integrate into your signup flow. 

This means, if you are using a chargebee checkout page to complete sign-ups, whether a full blow page of an iFrame, your pages do not need to be PCI compliant as the portion where the payment details are being captured is compliant and managed by us. 

So, as a merchant your exposure to PCI compliance is very minimal, all you will need to do is complete a SAQ-A and submit it to your gateway service provider. Some gateways ask for this SAQ-A form to be submitted once a year and some don't. It depends on the Payment Gateway chosen. You can download the latest copy of the SAQ-A form  PCI Security Standards Website.



Chargebee Solutions Team.

1 person likes this
Login or Signup to post a comment