You're viewing documentation for our latest API. This will not impact your integration, but you will need the documentation relevant to you. If you have an account with Checkout.com you have received an email confirming which version to use.
Use Transport Layer Security (TLS) for all payment pages, so that they use HTTPS.
Review and validate your PCI compliance once a year. Most merchants can do this with a Self-Assessment (SAQ), which is provided by the PCI Security Standards Council.
The type of SAQ you need to provide depends on your integration method. If you use:
Frames, Hosted Payments Page, Payment Links, or our Mobile SDKs, you need to provide SAQ A.
Our Full Card API with your own integration platform, you need to provide SAQ D.
Our Full Card API with a third-party service provider, contact your Account Manager.
If you are SAQ D PCI compliant and want to process full card payments, contact your Solution Engineer or [email protected].
If you change how you integrate with us, you may need to re-certify your PCI compliance. For example, if you reintegrate from Frames to our Full Card API, you'll have more access to cardholder data, so your requirements may change.
Merchants are organized under four levels of PCI compliance, based on their card transaction count over a 12-month period. Your PCI level and integration method will determine the compliance requirements you must meet.
Level 1 merchants are subject to more stringent requirements than level 2 – 4 merchants. If you reach level 1 (more than 6 million transactions), we will identify this and contact you to make sure you can provide the relevant documentation and stay compliant.
Your PCI DSS certification needs to be reviewed and validated once a year.
Qualified Security Assessors (QSAs) are independent security individuals and organizations, approved by the PCI Security Standards Council, that validate an entity’s adherence to the PCI DSS. A QSA can help you choose the right SAQ for your business and support you through the process.
We’ve partnered with SecurityMetrics, a QSA company, to help our merchants with PCI compliance. After we approve your application, you'll receive an email explaining how to create your account with SecurityMetrics, if you choose to use them for PCI assistance.
SecurityMetrics is best equipped to answer specific questions about your scope of compliance. For the best way to contact SecurityMetrics, visit their website.
If you are already PCI compliant through another QSA, you can opt out of using SecurityMetrics' services. In that case, you'll need to provide us with valid certification that attests to your compliance.
When you complete your onboarding with us, we'll register you with SecurityMetrics so that you can start the PCI assessment. You'll need to provide us with the contact details of the person responsible for PCI compliance in your organization.
You will then receive an email from SecurityMetrics with instructions on how to sign in to their portal and begin the assessment process. You may also need to complete a regular vulnerability scan, to ensure that your website is secure.
Part of the enrollment process includes answering a brief set of questions that will help SecurityMetrics determine which SAQ you need to complete.
Select Sign Up and enter the email address associated with your Checkout.com account.
Verify your email address.
Sign in to the portal and complete the questionnaire about your credit card processing.
Once you've completed the questionnaire, select Activate and Continue.
Data security is extremely important to us. If you believe the security of your integration may have been compromised, or have any questions concerning your PCI obligations, contact us at [email protected].