Get started
Sign In
Understanding PCI DSS compliance and secure payment integration

Payment Card Industry Data Security Standards (PCI DSS) is a set of technical and operational criteria designed to reduce the risk of fraud and data breaches in the payment ecosystem, applicable to any entity that accepts or processes payment cards.

Solidgate, a certified e-commerce PSP with PCI DSS Level 1, acts as a gateway services provider, managing all requests and issues related to merchant processing.

Solidgate offers two integration options:

  • Host-to-Host (H2H)
    Involves Guide
    Understanding host-to-host integration is essential for a merchant planning to integrate with a payment system, as it offers secure transactions, flexible payment options, efficient management of credit card payments, and features like 3D Secure, tokenization, and recurring transactions.
    direct data transfer
    between systems, requiring the merchant to provide information about their certified AOC company and request quarterly ASV scans (requires SAQ-D/AOC + quarterly ASV).
  • Iframe
    Incorporates a Guide
    Understand how to integrate the payment form into your product.
    payment form
    or Guide
    Use e-commerce plugins to integrate your software providers with Solidgate for payment collection.
    into the merchant’s website, shifting the responsibility of card data collection and storage away from the merchant. Requires annual SAQ updates and quarterly ASV scans starting March 31, 2024, as per SAQ-A v.4.0 clause 11.3.2.

PCI compliance levels

PCI DSS compliance is categorized into four levels based on annual transaction volume:

Level 1 merchants, with or 6 million Visa/Mastercard transactions, or 2.5 million American Express transactions, or a data breach, or card association designation, require an annual ROC and quarterly scans.
Those processing between 1 to 6 million transactions annually must complete a Self-Assessment Questionnaire (SAQ) and perform quarterly scans.
Merchants handling between 20,000 to 1 million e-commerce transactions annually need to fill out an SAQ and conduct quarterly scans.
Merchants with fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually are required to complete an SAQ.

Required documents by PCI Level:

Level 1 merchants are required to undergo a Report on Compliance (ROC) and perform quarterly external ASV scans.

For service providers, it’s also mandatory to carry out network segmentation tests at least every six months or following any significant changes to their network segmentation, in alignment with PCI DSS requirement This ensures continuous compliance and security of cardholder data across their network.

Level 2 merchants must either complete a Report on Compliance (ROC) or an appropriate Self-Assessment Questionnaire (SAQ), in addition to conducting quarterly external ASV scans.

The exact requirements may differ depending on the specific demands of the card brands involved. This process aims to maintain a robust security posture and ensure adherence to PCI DSS standards.

Merchants classified as Level 3 are required to complete an eligible Self-Assessment Questionnaire (SAQ) and also conduct quarterly external ASV scans.

This is to verify that their payment systems remain secure against vulnerabilities and comply with PCI DSS requirements, thus safeguarding cardholder data effectively.

Merchants classified as Level 4 are required to complete an eligible Self-Assessment Questionnaire A (SAQ-A).

From March 31, 2024, SAQ-A merchants should conduct quarterly external ASV scans according to the PCI DSS v.4.0.

SAQ-A v.4.0

Key updates in SAQ-A v.4.0 include:

These updates aim to further secure payment processing by enhancing vulnerability management, access controls, and scanning protocols.