Understanding PCI compliance
Understand the impacts of PCI compliance on your integration and how to reduce your PCI scope.
What is PCI compliance?
PCI is short for PCI DSS and stands for Payment Card Industry Data Security Standard. It is a set of standards designed to ensure that credit card information is captured, retained, and transmitted in a secure way.
In other words, it is a set of rules to reduce the risk of fraudsters, hackers, and thieves from stealing sensitive card information. PCI Compliance is mandated by the major card brands (Visa, Mastercard, American Express, etc.) and applies to all payment processors, service providers, and merchants.
Additional reading:
Read our blog article "What is PCI compliance?", to learn more about this topic.
How can I reduce my PCI compliance scope and risk?
Reducing your PCI compliance scope and risk is as simple as integrating with HelcimPay.js to process online payments, or verify and tokenize credit card details. All payments processed through HelcimPay.js will create a cardToken that can be used through our Payment API.
Integrators with the Helcim API cannot send full card numbers, expiry dates, or CVV numbers through the Payment API by default. The Payment API will return an error for any attempts to do so without approval. If your integration relies on processing with full card numbers, then review the following documentation to learn more about this approval process.
How does PCI compliance impact my integration?
Helcim has a range of tools available to assist merchants with reducing their PCI scope and managing credit card data in a secure manner. How you integrate with the Helcim API and what solutions you use, will ultimately determine what PCI compliance scope is applied to your business.
Integrating with HelcimPay.js
Integrating with HelcimPay.js to process payments, or verify and tokenize card details, will provide the most reduced PCI compliance scope available.
Because we render the payment modal in an iFrame on your website, sensitive credit card details never touch your website or server. Because of this, you would only need to complete the annual PCI compliance SAQ-A questionnaire that pops up on your Helcim dashboard.
Integrating with Helcim.js
Integrating with Helcim.js doesn't reduce PCI compliance scope as much as HelcimPay.js when used to process payments, or verify and tokenize card details.
Since this service uses HTML input fields, the customers credit card details technically touch your website even if the JavaScript doesn't allow them to be submitted to your server. Because of this, you need to complete the PCI compliance SAQ- A-EP questionnaire that can be downloaded from the PCI Security Standards Council website.
You would need to complete this annually and then upload your completed questionnaire into the Helcim system to remain PCI compliant. In your Helcim account you would select All Tools, My Business and then Security and Compliance in order to complete the upload for your PCI compliance process.
Integrating with the Payment API and full card numbers
The least reduction in scope comes when needing to process with full card details through the Payment API, which requires a PCI compliance SAQ-D questionnaire to be completed by a third party auditor and approval by our CTO and cyber-security teams.
You or the service provider managing your card data would need to complete this annually and then upload your completed questionnaire into the Helcim system to remain PCI compliant. In your Helcim account you would select All Tools, My Business and then Security and Compliance in order to complete the upload for your PCI compliance process.
How do I complete or renew my PCI compliance?
Helcim makes it easy to complete your PCI compliance, with most business using our payment tools or integrated with HelcimPay.js, being able to complete a quick annual questionnaire in their Helcim account. Review the following support documentation if you would like to learn more about this process.
Updated 16 days ago