If you are involved in processing, transmission, and/or storage of cardholder data, you must comply with the Payment Card Industry (PCI) Data Security Standard (DSS).
PCI compliance is a shared responsiblity of all parties involved, and applies to Upodi, to your payment service provider (PSP) and your business. When conducting credit card payments online, you must comply with PCI standards.
## PCI Compliance Standards
|Case||PCI DSS Level and Compliance|
|If you use iframe or popup windows from your payment service provider (PSP).||You should relay and complete on [PCI DSS SAQ A](🔗).|
|If you save cardholder data to your server, submit these to a payment provider and store the token using Upodi.||You should relay and complete on [PCI DSS SAQ D](🔗).|
More than 6 million transactions?
If you're processing more than 6 million transactions per year, you are not eligible to use a SAQ to prove PCI compliance. Payment brands require you to complete a [Report on Compliance](🔗) (RoC) to validate your PCI compliance annually.
## Understanding the scope of compliance
Cardholder data is defined by PCI DSS as a combination of _both_ the full magnetic stripe or Primary Account Number (PAN), plus any of the following cardholder name, expiration data, and/or CVC.
Upodi stores the following data to be able to render invoices and provide context of transactions on the platform:
Card verification code (CVC).
Truncated identification of the card.
Upodi captures, to the extent possible, the truncated identification of a card from any payment provider. A truncated identification is removing several of the numbers in the PAN (typically with an x), not masking these numbers example: 123456XXXXXX1234, whereby X represents removed data, not masked data. If you store all of the above including the PAN, you must comply with [SAQ D](🔗) as a minimum.
## PCI Best Practices
Host any webpages receiving credit card information **using SSL**. Cardholder data should never be sent without SSL.
Never **log** any sensitive credit card data (full credit card number or verification value (CVV/CVC). Most web apps expose credit card data via their log files and not the database.
Never **store** any sensitive credit card data (full credit card number or verification value (CVV/CVC). You may store the first six and last four digits of the credit card number. If there's cardholder data you do not need, then we suggest not storing it (billing address, expiration date, number, etc.).
Protect your customers by keeping your site safe from [cross-site scripting](🔗) attacks.