Do I have to be PCI compliant to use server to server integration

Follow


In all cases, PCI certification is taken care of by the merchant if they wish to get certified. Currently there is no enforcement in SA for merchants that are not Level 1 merchants. 

Now if you want / need to get certified for PCI then the complexity of the certification changes depending on your integration approach:

Using our Copy and Pay widget simplifies the process for you to a large extent and helps you qualify for SAQ-A which is a self-assessment questionnaire based approach to certification with a quarterly vulnerability scan. Basically in this approach you say that you have "outsourced" all sensitive data handling function to a certified third party.

Using the Server to Server API - will require you to comply with more of the elements of the PCI guidelines in case you wish to be certified. This can be more complicated in terms of securing your servers and potentially establishing specific data handling policies on your end even though you do not store card data. However there are a large number of merchants in SA that use this approach since most other PSPs dont really offer a JS widget based option as above (the alternative is to use a hosted payment page).

So overall we do recommend using the Copy and Pay approach if it is possible but it has its limitations in terms of UI and UX options since there are strict policies and services in place to comply with the SAQ-A process.

For Native apps - we offer native SDKs as well for iOS and Android which make the integration easier and also prevent card data from touching your server.

Have more questions? Submit a request

Comments

Powered by Zendesk