PCI (Payment Card Industry - https://www.pcisecuritystandards.org/) compliance ensures that customers' sensitive cardholder data are handled securely and safely when entered on a merchant's website, app, or platform.
In all cases, PCI certification is taken care of by the merchant if they wish to get certified. If a merchant needs to get certified for PCI then the complexity of the certification changes depending on your integration approach:
Integration type where PCI Certification is done/taken care of by Peach Payments - Nothing is required from the Merchant for Certification:
- Using our Copy and Pay widget/integration - This simplifies the process for you to a large extent and helps you qualify for SAQ-A which is a self-assessment questionnaire-based approach to certification with a quarterly vulnerability scan. Basically in this approach, you say that you have "outsourced" all sensitive data handling functions to a certified third party.
- Using our Mobile SDK for Native Apps - This simplifies the process for you to a large extent and helps you qualify for SAQ-A which is a self-assessment questionnaire-based approach to certification with a quarterly vulnerability scan. Basically in this approach, you say that you have "outsourced" all sensitive data handling functions to a certified third party.
Integration type where PCI Certification is required from the Merchant:
- Using the Server to Server API - will require you to comply with more of the elements of the PCI guidelines in case you wish to be certified. This can be more complicated in terms of securing your servers and potentially establishing specific data handling policies on your end even though you do not store card data. However, there are a large number of merchants in SA that use this approach since most other PSPs don't really offer a JS widget-based option as above (the alternative is to use a hosted payment page).
Overall we do recommend using the Copy and Pay approach if it is possible but it has its limitations in terms of UI and UX options since there are strict policies and services in place to comply with the SAQ-A process.