In this article you will be going to know about:


What is the PCI DSS?


The Payment Card Industry Data Security Standard (PCI DSS) is a set of information security standards relating to card processing. They were first put into place in 2004, and are updated on a regular basis. Compliance with PCI DSS is mandatory for any organization that handles cards from any of the major card schemes. The standards are managed by the PCI Security Standards Council.



Is Paytabs PCI Certified?


PayTabs is PCI DSS Level 1 Certified in terms of processing card transactions to protect your payment information and facilitate a speedy and secure transaction. 


At the bottom of all of the Paytabs payment pages, you will find the below logo, which helps instill trust between the consumer and our payment gateway as well as your website to provide their credit card details.

And that is because the card data is encrypted on SSL or TLS 1.2, thus ensuring maximum security of the consumer card data. 


Why Paytabs Requires PCI Certification?


The main aim of PCI DSS is to make payments processes safe and secure. Compliance with this standard is important to ensure that the risk of a financial breach is minimized. 


PCI requirements are depending on the integration type, as the merchants are required to have their own PCI certificate to ensure that their customer’s data is safe only if:
  • They are obtaining card details using their own form
    In this case, they have to be PCI certified to a minimum SAQ-D Merchant. This is because card details will be handled by their systems. After receiving the card details from their payment page, they are required to send a payment request using the transaction API. Hence they will need to include the card details within the payment request.


  • They taking card details using our managed form
    In this case, they have to be PCI certified to a minimum SAQ A-EP Merchant. This is because card details will not be handled by their system, yet the payment page is displayed from their website. After receiving the payment token details from their payment page, they must send a payment request using the transaction API. Hence they will need to include the token details within the payment request.



Self-Assessment Questionnaire (SAQ)


Certification for merchant levels 2, 3, or 4 (basically any merchant processing up to 6 million transactions per year, see below for detailed level criteria) can be achieved using a Self-Assessment Questionnaire (SAQ). They are different types of SAQ, you will need to ensure you select the one that matches the way you wish to process cards.


SAQ A

  • Merchant website is entirely hosted and managed by a PCI-compliant, third-party payment processor, OR
  • Merchant website provides an iframe or URL that redirects a consumer to a PCI-compliant, third-party payment processor, where no elements of the page originate from the merchant website.


SAQ A-EP

  • Merchant website creates a payment form and “direct posts” payment data to PCI-compliant, third-party payment processor, OR
  • Merchant website provides an iframe or URL that redirects a consumer to a PCI-compliant, third-party payment processor, BUT some elements of the payment page originate from the merchant website. (Elements could be JavaScript, CSS or any other functionality that supports how the payment page is created.)



SAQ A-EP is the minimum requirement for using the managed form method.

SAQ D-Merchant

  • An E-commerce merchant that cannot meet the criteria for SAQ A or SAQ A-EP, OR
  • An E-commerce merchant that stores credit card data, OR
  • Payment pages are delivered from the merchant’s website.


SAQ D-Merchant is the minimum requirement for using the own form method.


Merchant Levels

The merchant level is based mainly on the number of card transactions processed per year.


Level 1

Merchant Criteria

  • Any merchant, regardless of acceptance channel, processing more than 6 million transactions per year.
  • Any merchant that has had a data breach or attack that resulted in any account data compromise.
  • Any merchant identified by any card association as Level 1.


Validation Requirements

  • Annual Report on Compliance (ROC) by Qualified Security Assessor (QSA) – also commonly known as a Level 1 onsite assessment.
  • Quarterly network scan by Approved Scan Vendor (ASV).
  • Attestation of Compliance.

Level 2

Merchant Criteria

  • 1 million to 6 million transactions annually (all channels).


Validation Requirements

  • Annual Self-Assessment Questionnaire (SAQ).
  • Quarterly network scan by Approved Scan Vendor (ASV).
  • Attestation of Compliance.

Level 3

Merchant Criteria

  • Merchants process 20,000 to 1 million e-commerce transactions annually.


Validation Requirements

  • Annual Self-Assessment Questionnaire (SAQ).
  • Quarterly network scan by Approved Scan Vendor (ASV).
  • Attestation of Compliance.


Level 4

Merchant Criteria

  • Less than 20,000 e-commerce transactions annually, and all other merchants process up to 1 million transactions annually.


Validation Requirements

  • Annual Self-Assessment Questionnaire (SAQ).
  • Quarterly network scan by Approved Scan Vendor (ASV).
  • Attestation of Compliance.