Skip to content

PCI compliance

Last updated: 9th August 2022

What is PCI and why is it important?

Any organization involved with the processing, transmission, or storage of card data must comply with the Payment Card Industry Data Security Standards (PCI DSS).

Checkout Technology Ltd, a company within the Checkout.com group, is certified for PCI DSS as a Level 1 Service Provider, which is the highest standard set by the payment card industry to ensure that credit card data is processed, stored or transmitted in a secure environment.


Who is responsible for PCI DSS compliance?

PCI compliance is a shared responsibility between your business and Checkout.com. So, when accepting payments, it is essential that you do so in a PCI-compliant manner. The complexity of this depends on your integration methods, but the simplest way is never to see or access your customers' card data. Here are our tips:

  • Use one of our integration methods that allows you to accept payments without ever handling card data: Frames or our Mobile SDKs.

  • Use Transport Layer Security (TLS) for all payment pages, so that they use HTTPS.

  • Review and validate your PCI compliance once a year. Most can do this with a Self-Assessment (SAQ), which is provided by the PCI Security Standards Council.


What are the requirements?

There are four levels of PCI compliance that merchants are organized under, based upon their card transaction count over a 12-month period. The PCI level in combination with the integration method will determine the compliance requirements for each merchant. If you have any question concerning your PCI obligations please feel free to send an email to pci.operations@checkout.com..

PCI levelTransactions processed / yearKey requirements

1

  • More than 6 million Visa, MasterCard (combined with Maestro) or Discover transactions.
  • More than 2.5 million American Express transactions.
  • More than 1 million JCB transactions.
  • Any merchant who has had a data incident.
  • Any merchant identified as Level one by one of the schemes.

2

  • 1 to 6 million Visa, MasterCard (combined with Maestro) or Discover transactions.
  • 50,000 to 2.5 million American Express transactions.
  • Annual self-assessment using the applicable PCI DSS Self-Assessment Questionnaire (SAQ).
  • Quarterly network scan by an Approved Scan Vendor (ASV) where applicable.

3

  • 20,000 to 1 million Visa, MasterCard (combined with Maestro) or Discover transactions.
  • Less than 50,000 American Express transactions.

4

  • Less than 20,000 Visa e-commerce transactions and/or process up to 1 million transactions.
  • Every other merchant for MasterCard/Maestro, Diners and Discover, JCB.

What happens if my level changes?

If you reach Level 1 (more than 6 million transactions), we will identify this and contact you to make sure you can provide the relevant documentation and stay compliant.

What documentation do I need to provide to attest of my compliance level with PCI DSS requirements?

The PCI requirements for the different type of integration methods are as follows:

Integration methodDocuments required

Frames

Your SAQ A (which we will prepare for you).

Full card details API - using your own integration platform

Your SAQ D.

Full card details API with a third-party service provider

Please contact your Customer Success Manager.

Assisting you with PCI Compliance: Checkout.com and SecurityMetrics

PCI compliance may seem overwhelming, but there are resources to help. Qualified Security Assessors (QSAs) are independent security individuals and organizations that have been qualified by the PCI Security Standards Council to validate an entity’s adherence to the PCI DSS. A QSA can help you choose the right SAQ for your business and support you through the process.

We’ve partnered with SecurityMetrics, a QSA company, to offer PCI compliance assistance to our merchants. Once your application has been approved by Checkout.com, you'll receive an email explaining how to create your account with SecurityMetrics, if you choose to use them for PCI assistance.

SecurityMetrics is best equipped to answer specific questions about your scope of compliance. For the best way to contact SecurityMetrics, visit their website.

Enrolling with SecurityMetrics

To take advantage of SecurityMetrics’ services, you’ll need to wait to enroll until we email you with your Merchant Account Number. This value is not displayed in the Dashboard, so if you no longer have the email with this information, you’ll need to email support@checkout.com.

Part of the enrollment process includes answering a brief set of questions that will help SecurityMetrics determine which SAQ you need to complete.

To enroll:

  1. Navigate to the SecurityMetrics Checkout.com page
  2. Select Sign Up and enter the email address associated with your Checkout.com account
  3. Verify your email address
  4. Accept the Terms of Use
  5. Continue through the wizard and complete the questionnaire about your credit card processing

Data security is extremely important to us. If you believe the security of your integration may have been compromised, contact us and we'll assist you from there.