PCI DSS Compliance Guide

PCI DSS compliance
— simplified.

Paymentgate's hosted-fields architecture keeps raw card data off your servers entirely — qualifying most merchants for SAQ A, the simplest compliance path. We carry the heavy lifting so your team stays focused on product.

PCI DSS Level 1 Service Provider — highest possible certification

Hosted fields = SAQ A (22 questions, not 300+)

Network tokenisation removes PANs from your environment

Attestation of Compliance (AoC) available on request

Get Started Free Shared Responsibility PDF

PCI DSS

Level 1

Service Provider

AES-256-GCM at rest

Network tokenisation

ISO 27001 & SOC 2 Type II

24 / 7 SOC monitoring

Level 1

Highest PCI tier

SAQ A

For most merchants

Questions (vs 300+)

AoC

Available on request

Background

What Is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of technical and operational security requirements mandated by Visa, Mastercard, American Express, Discover, and JCB. Any organisation that stores, processes, or transmits cardholder data must comply.

Non-compliance can result in fines of up to $100,000 per month per brand, elevated per-transaction fees, mandatory forensic audits, and — in the worst case — revocation of card-acceptance rights. PCI DSS 4.0, the current version effective March 2024, introduces stronger authentication and targeted risk analysis requirements.

Key insight — scope reduction

When you integrate via Paymentgate's hosted fields, card data flows directly from your customer's browser to our PCI-certified environment — never through your own servers. This removes your infrastructure from the cardholder data environment (CDE) entirely, allowing you to complete the 22-question SAQ A instead of the 300+ question SAQ D.

The 12 PCI DSS Requirements

1.Network Security

Firewalls & router configurations protecting CHD

2.No Defaults

Change all vendor-supplied passwords & defaults

3.Data Protection

Protect stored cardholder data at rest

4.Encryption in Transit

Encrypt cardholder data over public networks

5.Malware Protection

Anti-virus & anti-malware on all systems

6.Secure Systems

Develop & maintain secure applications

7.Access Control

Restrict access by business need-to-know

8.Unique IDs

Assign unique IDs to all system components

9.Physical Access

Restrict physical access to cardholder data

10.Logging & Monitoring

Log and monitor all network access

11.Security Testing

Test security systems & processes regularly

12.InfoSec Policy

Maintain an information security policy

Compliance Tiers

PCI DSS Levels by Transaction Volume

Your compliance requirements are set by your acquirer based on annual card transaction volume. Paymentgate's hosted fields reduce your obligations across every level.

Level	Annual Transactions	Standard Validation	With Paymentgate
Level 1 Service Providers	More than 6 million (any brand)	Annual QSA on-site audit + Report on Compliance (RoC) + quarterly ASV network scan	We are certified Level 1 Our AoC satisfies your acquirer's service-provider requirements
Level 2	1 million – 6 million (any brand)	Annual SAQ (self-assessment) + quarterly ASV network scan	SAQ A — 22 questions Hosted fields remove your servers from scope
Level 3	20,000 – 1 million (e-commerce)	Annual SAQ + quarterly ASV scan recommended	SAQ A — 22 questions No raw card data touches your infrastructure
Level 4	Fewer than 20,000 (e-commerce)	Annual SAQ recommended by acquirer	SAQ A — 22 questions Fastest path to compliance for startups

* SAQ A eligibility requires card-not-present transactions only and your checkout page served over HTTPS. Confirm final SAQ type with your acquiring bank.

Scope Reduction

How Paymentgate Shrinks Your Compliance Scope

Three integration patterns — choose the one that best fits your checkout flow. All three keep raw card data out of your environment.

SAQ A eligible

Hosted Fields

Individual card-number, CVV, and expiry fields are cross-origin <iframe> elements served directly from Paymentgate's certified domain. Your JavaScript cannot read field values — same-origin policy enforces this at browser level.

Fully customisable styling via postMessage API
Works inside your existing checkout UI
Tokenises instantly — no card data ever in transit to you

SAQ A eligible

Hosted Checkout Page

Redirect your customer to a fully hosted checkout page at checkout.paymentgate.com. After payment, we redirect back with a signed session token. Zero card data flows through your domain at any point.

White-label branding (logo, colours, fonts)
Fastest integration — under 30 minutes
Mobile-optimised with Google Pay & Apple Pay

SAQ D applies

Direct API (Server-Side)

Post raw card data directly to our POST /v2/tokens endpoint from your server. This puts your servers in-scope for PCI, requiring SAQ D (300+ questions) or a QSA audit. Only recommended for platforms building their own PCI-certified environment.

Maximum control over payment UX
Native mobile app payment flows
Requires full SAQ D / QSA engagement

SAQ Comparison

Self-Assessment Questionnaire Types

The PCI Security Standards Council defines several SAQ types based on how you accept cards. Your integration method determines which applies.

Criteria	SAQ A	SAQ A-EP	SAQ D
Requirements count	22 requirements	~190 requirements	300+ requirements
Who it applies to	Card-not-present merchants using only a third-party hosted payment page. No card data on merchant servers or JavaScript.	E-commerce merchants whose checkout page is on their own domain but card data goes directly to a third party. JavaScript originating from their own server.	All merchants not covered by SAQ A or SAQ A-EP. Includes direct API integrations and merchants storing PANs.
ASV scan required	Not required	Required	Required
Penetration test	Not required	Annual	Annual + after changes
Paymentgate integration	Hosted Fields or Hosted Checkout Page	Custom JavaScript payment form on your domain loading Paymentgate.js	Direct API / server-side tokenisation
Our recommendation	Recommended	Advanced users	Platforms only

Compliance Roadmap

Your 5-Step Compliance Guide

Most Paymentgate merchants complete their initial PCI compliance in under two weeks. Here is the exact path.

Choose Hosted Checkout

Integrate using Paymentgate's hosted fields or redirect checkout. Confirm with your developer that no card data passes through your servers.

Day 1 – 3

Request Our AoC

Email [email protected] to request our current-year Attestation of Compliance. Attach it to your SAQ as evidence of your service provider's certification.

Day 3 – 5

Complete SAQ A

Download the SAQ A form from the PCI SSC website. Answer 22 yes/no questions covering your checkout page URL, HTTPS configuration, and access controls. Most merchants complete this in under two hours.

Day 5 – 7

Run ASV Scan (if needed)

SAQ A merchants generally do not require an Approved Scanning Vendor (ASV) scan. If your acquirer requests one, run a quarterly external scan via a PCI SSC-approved vendor. Paymentgate can recommend partners.

Day 7 – 10

Submit & Maintain Annually

Submit your completed SAQ A and any scan results to your acquiring bank. Set a calendar reminder to repeat the process each year, and whenever you make significant changes to your checkout flow.

Day 10 – 14

Need guidance? Talk to our compliance team.

Paymentgate's compliance engineers can walk you through every step, review your SAQ answers, and liaise directly with your acquirer. Enterprise plans include dedicated compliance support. Contact us →

Shared Responsibility

Who Owns What

PCI compliance is a partnership. Paymentgate's Shared Responsibility Model document clearly specifies which PCI controls we satisfy on your behalf and which remain your obligation.

Paymentgate Owns

We handle these PCI controls for you

Cardholder data environment (CDE) — network segmentation, firewalls, IDS/IPS
Encryption key management using HSMs (Hardware Security Modules)
AES-256-GCM encryption of all stored cardholder data
Annual QSA on-site audit and Report on Compliance (RoC)
Network tokenisation and PAN vault management
Application-layer security testing and vulnerability management
24/7 SOC monitoring, SIEM alerting, and incident response
Physical data-centre security at all EU hosting locations

Merchant Owns

Your team's compliance obligations

Complete and submit SAQ A annually to your acquiring bank
Serve your checkout page over HTTPS with a valid TLS certificate
Protect Paymentgate secret API keys — rotate immediately if compromised
Ensure no JavaScript on your checkout page reads iframe contents
Implement staff security awareness training (Requirement 12.6)
Do not log or cache any card data in application or server logs
Maintain an Acceptable Use Policy for systems handling payment data
Notify Paymentgate of any suspected breach within 24 hours

Download Shared Responsibility Model PDF

EU Data Residency

Your Data Stays in Europe

When EU data residency is enabled, all cardholder data, transaction records, and audit logs are stored and processed exclusively within the European Economic Area (EEA). Data never transits to US or APAC infrastructure.

Primary: Stockholm + Frankfurt

Primary nodes in Stockholm (SE) and Frankfurt (AWS eu-central-1) with automatic geo-failover.

Disaster Recovery: Amsterdam

Cold standby in Amsterdam (AWS eu-west-1) ensures RPO < 4 hours and RTO < 1 hour.

DPA Included in All Plans

A signed Data Processing Agreement satisfying GDPR Article 28 is provided automatically with your merchant agreement.

EU Data Residency — Feature Comparison

Transaction data stored in EEA Included

Audit logs remain in EEA Included

Cross-region replication to US/APAC Disabled

GDPR Article 28 DPA All plans

Right-to-erasure via API Supported

Standard Contractual Clauses (SCCs) Included

FAQ

Frequently Asked Questions

Common PCI DSS and compliance questions from our merchants.

Yes — PCI DSS applies to any merchant that accepts card payments, regardless of which payment processor you use. However, using Paymentgate's hosted fields dramatically reduces your compliance burden. Instead of the 300+ question SAQ D, you qualify for SAQ A — just 22 questions — because raw card data never enters your infrastructure. We handle all the heavy compliance requirements on our end as a certified Level 1 Service Provider.

SAQ A (22 requirements) applies to card-not-present merchants who outsource all payment page functions to a PCI-certified third party — such as Paymentgate's hosted fields or hosted checkout page. Card data never touches the merchant's servers or JavaScript. SAQ D (300+ requirements) applies to merchants who process, store, or transmit cardholder data themselves — for example, posting raw card numbers to their own server via a direct API call. SAQ D typically requires weeks of effort and may require a QSA engagement. SAQ A takes most merchants two to four hours to complete.

Our hosted fields inject cross-origin <iframe> elements served directly from secure.paymentgate.com into your checkout page. The card number, CVV, and expiry date input fields live inside these iframes. Browser same-origin policy strictly prevents any JavaScript on your domain from reading the values. When the customer submits, our JavaScript tokenises the card data on our PCI-certified servers and returns a one-time, single-use token to your page — which your server can then use to create a charge via the API.

Yes. Our current-year PCI DSS Level 1 Attestation of Compliance (AoC), signed by our Qualified Security Assessor (QSA), is available upon request. Email [email protected] with your company name, merchant ID, and the reason for the request (e.g., acquirer requirement or enterprise due diligence). We typically respond within two business days. The AoC confirms that Paymentgate's cardholder data environment has been assessed against PCI DSS 4.0 and found compliant.

In the event of a breach within Paymentgate's infrastructure, our incident response plan activates immediately: all affected merchants are notified within one hour, compromised tokens are rotated, and our 24/7 SOC leads the forensic investigation. Because merchants using hosted fields do not store, process, or transmit raw cardholder data themselves, their systems are not in scope for the breach investigation — substantially limiting their regulatory and contractual exposure. Card brand fines and investigation costs apply to the party in whose environment the breach occurred, which in this scenario is Paymentgate.

Yes. A Data Processing Agreement (DPA) satisfying GDPR Article 28 is included with all Paymentgate plans at no extra charge. When EU data residency is enabled, all cardholder data and transaction records remain within EEA data centres in Stockholm, Frankfurt, and Amsterdam. We support the right-to-erasure (GDPR Article 17) via a dedicated API endpoint, provide full data-export tooling, and operate under the principle of data minimisation — retaining only what is legally required for fraud detection, chargeback management, and statutory audit purposes.

Compliance Documentation

Download official documents for your compliance programme and vendor due-diligence process.

PCI DSS AoC

Current-year Attestation of Compliance signed by our QSA. Required by many acquirers and enterprise procurement teams.

Request via Email

Shared Responsibility Model

Detailed PDF mapping each PCI DSS 4.0 requirement to either Paymentgate or the merchant, with implementation guidance.

Download PDF

Data Processing Agreement

GDPR Article 28 DPA pre-signed by Paymentgate AB, Stockholm. Immediately valid — no negotiation required for standard terms.