PCI Compliance

If you are involved in processing, transmission of, and/or storage of cardholder data, you must comply with the Payment Card Industry (PCI) Data Security Standard (DSS).

PCI compliance is a shared responsiblity of all parties involved, and applies to Upodi, to your payment service provider (PSP) and your business. When conducting credit card payments online, you must comply with PCI standards.


PCI Compliance Standards

CasePCI DSS Level and Compliance
If you use iframe or popup windows from your payment service provider (PSP).You should relay and complete on PCI DSS SAQ A.
If you embed forms into your website capturing cardholder data and submitting these via Javascript.You should relay and complete on PCI DSS SAQ A-EP.
If you save cardholder data to your server, submit these to a payment provider and store the token using Upodi.You should relay and complete on PCI DSS SAQ D.


More than 6 million transactions?

If you process more than 6 million transactions per year, you are not eligible to use a SAQ to prove PCI compliance. Payment brands require you to complete a Report on Compliance (RoC) to validate your PCI compliance annually.

Understanding the scope of compliance

Cardholder data is defined by PCI DSS as a combination of both the full magnetic stripe or Primary Account Number (PAN), plus any of the following: cardholder name, expiration date, and/or CVC.

If you transmit and provide tokens based on your own infrastructure, outside components of Upodi, you are immediately entitled to PCI A-EP.

Upodi stores the following data to be able to render invoices and provide context of transactions on the platform:

  • Cardholder name.
  • Expiration date.
  • Card verification code (CVC).
  • Truncated identification of the card.

Upodi captures, to the extent possible, the truncated identification of a card from any payment provider. A truncated identification removes several of the numbers in the PAN, typically be replacing the numbers with an X. Example: 123456XXXXXX1234. X represents removed data, not masked data. If you store all of the above including the PAN, you must comply with SAQ D as a minimum.

PCI Best Practices

  • Host any webpages receiving credit card information using SSL. Cardholder data should never be sent without SSL.
  • Never log any sensitive credit card data (full credit card number or verification value (CVV/CVC). Most web apps expose credit card data via their log files and not the database.
  • Never store any sensitive credit card data (full credit card number or verification value (CVV/CVC). You may store the first six and last four digits of the credit card number. If there's cardholder data you do not need, then we suggest not storing it (billing address, expiration date, number, etc.).
  • Protect your customers by keeping your site safe from cross-site scripting attacks.