PCI compliance

Read about PCI compliance.

Card payments
This section is only relevant to Card payment provider

PCI compliance

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes. The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council.

PCI DSS provides a baseline of technical and operational requirements designed to protect account data. PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).

SAQ level

The PCI DSS self-assessment questionnaires (SAQs) are validation tools intended to assist merchants and service providers report the results of their PCI DSS self-assessment.

Level Description
SAQ A SAQ A applies to Card-not-present merchants (e-commerce or mail/telephone order) who have completely outsourced all cardholder data processing functions and have no electronic storage, processing, or transmitting of cardholder data.

This is the default PCI level initially assigned to each merchant. If you use the heidelpayUI components, you do not need to get in touch with credit card data, as the Javascript components are an iFrame for you, hosted by us.

With us, you are automatically PCI compliant - without any action on your part.
SAQ A-EP This is one of the newer additions to the SAQ types and has been designed to apply to e-commerce merchants, who partially outsource all payment processing to PCI DSS compliant service providers.

Usually, the merchant’s website forwards the end customers to the landing page of a payment provider. This means that the web server itself does not store, process, or transmit card data.

However, the way in which a customer is routed to the payment providor and from where the payment page components are provided determines whether SAQ A or A-EP is best suited. Many merchants who previously used SAQ A now fall under SAQ A-EP for validation.

In summary, if all elements of the payment form originate from the payment processor (e.g. a straight redirect or iFrame) then SAQ A can be used. For other methods such as direct post (browser API/silent order post), JavaScript created forms, or if the website itself collects the payment data and sends it to the payment processor, SAQ A-EP should be used.

SAQ A-EP is also typically used if you have a mobile client that connects to Unzer using our mobile SDK for iOS or mobile SDK for android.
SAQ D SAQ D is the final SAQ and applies to any merchants who do not meet the criteria for other SAQs, as well as all service providers. SAQ D encompasses the full set of over 200 requirements and covers the entirety of the PCI DSS. If you are a service provider, this is the only SAQ you are eligible to complete. The only change from previous SAQ reporting is that there are now separateSAQ Ds and AOCs for merchants and service providers.

Because SAQ D is the default catch-all SAQ, there may still be parts of it that are not applicable to your environment. One example is the requirement of tracking data from the magnetic stripe is not stored; this is not relevant for card-not-present transactions. It is acceptable to mark these as ‘Not Applicable’ or ‘N/A’ with appropriate justification.

How to change the PCI level of your key pair?

If you want to change the PCI level, please contact our support at support@unzer.com.

Please note that changing the PCI level is a process that can take several days.