Home

PCI Data Security Standards

Overview

Highnote subscribers who access sensitive payment data from their own servers, must be fully PCI compliant. Consider using the Highnote SDKs to reduce your PCI compliance requirements.

Payment Card Industry Data Security Standards, or PCI DSS, are designed to protect payment data throughout the payment lifecycle. How you process and access PCI data will determine your compliance requirements.

There are different levels of compliance (usually 4 for merchants and 2 for service providers). The PCI Security Standards Council (PCI SSC) develops and maintains standards for each level; and each card network defines their own specific requirements based on those standards.

Compliance levels

All levels of PCI compliance require an Attestation of Compliance (AOC). Full PCI DSS compliance requires a Report on Compliance (ROC) and an AOC signed by a Qualified Security Assessor (QSA). Lower levels of compliance require a Self-Assessment Questionnaire (SAQ) and a self-signed AOC.

  • SAQ-A: Typically used for merchants who fully outsource all cardholder data functions to PCI DSS validated third-party service providers, and have no electronic storage, processing, or transmission of any cardholder data on their systems or premises.

  • SAQ-D: Typically used for merchants who don't qualify for any other SAQ and handle cardholder data themselves; or for service providers who handle their own cardholder data and may store it electronically.

spacer

Typical Merchant Compliance Levels

LevelsTransactions Per YearRequirements
Level 16 millionAnnual ROC + AOC signed by QSA, Quarterly scans by ASV
Level 21-6 millionAnnual SAQ + self-signed AOC, Quarterly scans by ASV
Level 320,000-1 million e-commerceAnnual SAQ + self-signed AOC, Quarterly scans by ASV
Level 4Up to 20k e-commerce, or 1 mil regularAnnual SAQ + self-signed AOC, Quarterly scans by ASV

Typical Service Provider Compliance Levels

LevelsTransactions Per YearRequirements
Level 1300,000Annual ROC + AOC signed by QSA, Quarterly scans by ASV
Level 2Up to 300,000Annual SAQ-D + self-signed AOC, Quarterly scans by ASV

Highnote SDKs

Highnote SDKs can significantly reduce your PCI compliance requirements.

Highnote SDKs enable you to handle payment data without having PCI-scoped data flowing through your systems.

Subscribers who are SAQ-A compliant, and want to maintain that compliance, should tokenize payment data with the Highnote Checkout SDK, or more customizable Secure Inputs SDK. Subscribers who are SAQ-D compliant, and already store PCI data securely, can bypass tokenization.

spacer

Issuing

spacer

Acquiring

Decision guide

When analyzing your compliance needs, start by asking the following:

spacer

Question 1: Will you handle sensitive cardholder payment data (possibly with the Highnote PaymentCardRestrictedDetails object) on your own servers?

  • If YES: Establish SAQ-D compliance at a minimum, or full Level 1 if you have high transaction processing volumes.
  • If NO: Use the Highnote SDKs to maintain your SAQ-A compliance (and continue to question 2).

Question 2: Will you customize your payment and card experience for customers?

  • If NO: Use the Highnote Checkout SDK (acquirers) or Card Viewer SDK (issuers) to maintain your SAQ-A compliance.
  • If YES: Use the Highnote Secure Inputs tokenization or PIN SDKs to maintain your SAQ-A compliance.

PCI Compliance Decision Tree

spacer

For Issuers

SolutionPurposeCompliance RequirementsBest For
Card Viewer SDKEmbed viewer solution to display sensitive card data in your UI through iframesPCI data never crosses your server. Maintains PCI SAQ-A compliance.Issuers wanting to display card details without handling PCI data
Secure Inputs SDK (PIN)Customize your UI so customers can securely input sensitive dataPCI data never crosses your server. Maintains PCI SAQ-A compliance.Issuers requiring customized PIN management solution while maintaining SAQ-A compliance

spacer

For Acquirers

SolutionPurposeCompliance RequirementsBest For
Checkout SDK (with tokenization)Embed checkout solution to securely accept payment card detailsPCI data never crosses your server. Maintains PCI SAQ-A compliance.Merchants wanting simple, compliant checkout with minimal integration effort
Secure Inputs SDK (Tokenization)Customize your UI to securely accept payment card detailsPCI data never crosses your server. Maintains PCI SAQ-A compliance.Merchants requiring customized checkout while maintaining SAQ-A compliance
Direct API Integration (no tokenization)Server-to-server processing of card dataRequires SAQ-D compliance at minimum. May require full Level 1 PCI compliance with QSA assessment for high volumes. Your servers must securely store and handle PCI data.Merchants already PCI SAQ-D compliant who want to bypass tokenization

Provide Feedback

Was this content helpful?