LogoLogo
Explore with DeepWikiJoin Slack CommunityContact Us
  • About Hyperswitch
    • Introduction
    • Payments Suite
    • Payments Modules
      • Cost Observability
      • Revenue Recovery
      • Vault
        • Server to Server Vault tokenization
        • Vault SDK Integration
      • Intelligent Routing
      • Reconciliation
        • Getting Started with Recon
      • Alternate Payment Method Widgets
        • Hyperwidget Integration Guide
    • Roadmap - Q2 2025
      • Previous Roadmap - Q1 2025
      • Previous Roadmap - Q4 2024
      • Previous Roadmap - Q3 2024
      • Previous Roadmap - Q2 2024
      • Previous roadmap - Q1 2024
      • Previous roadmap - Q4 2023
  • Use-Cases
    • For SaaS Businesses
    • For B2B SaaS Businesses
    • For E-Commerce Businesses
    • For Marketplace/Platforms
  • Explore Hyperswitch
    • Payment Orchestration
      • Accept Payments
        • Connectors
          • Activate Connector on Hyperswitch
          • Try a Payment
          • Available Connectors
            • ACI
            • Adyen
            • Airwallex
            • Authorizedotnet
            • Bambora
            • Bank of America
            • Billwerk
            • Bluesnap
            • Braintree
            • Checkout
            • Coinbase
            • Cybersource
              • Apple Pay
              • Google Pay
            • dLocal
            • Fiserv
            • GlobalPayments
            • GoCardless
            • Klarna
            • Mollie
            • MultiSafepay
            • Nuvei
            • OpenNode
            • Paypal
            • PayU
            • Prophetpay
            • Rapyd
            • Shift4
            • Stripe
            • TrustPay
            • Volt
            • Worldline
            • Worldpay
            • Zen
            • Netcetera
              • Authenticating Payments via Netcetera Through HyperSwitch SDK
        • Setup Payment Methods
          • Cards
          • Wallets
            • Apple Pay
              • Web Domain
              • iOS Application
            • Google Pay
            • PayPal
          • Pay Later
          • Banks
            • Bank Debits
            • Bank Redirects
            • Bank Transfers
            • Open Banking
          • Crypto
          • Test Credentials
        • Payment Links
          • Configurations
          • Create Payment Links
          • Secure Payment Links
          • Setup Custom Domain
        • Save a Payment Method
        • Manual Capture
        • Incremental Authorization
        • Tokenization & Card Vault
          • Network Tokenisation
        • Supported Payment Workflows
        • Co-badged Cards
        • Webhooks
      • Process Payouts
        • Getting Started with Payouts
        • Using Saved Payment Methods
        • Smart Router for Payouts
        • Smart Retries in Payout
        • Payout Links
      • Smart Routing
        • Rule Based Routing
        • Volume Based Routing
        • Default Fallback Routing
      • Smart Retries
        • 3DS Step-up Retries
      • 3DS / Strong Customer Authentication
        • Setting up 3DS Decision Manager
        • Native 3DS Authentication
        • External Authentication for 3DS
      • Fraud & Risk Management
        • Activating FRM in Hyperswitch
        • Fraud Blocklist
      • Subscriptions
        • PG Agnostic Card Forwarding
        • Zero Amount Authorization
      • Split Payments
        • Stripe Split Payments
        • Adyen Split Payments
        • Xendit Split Payments
    • Checkout Experience
      • Customizable and Native Integrations
        • Web
          • Node And React
          • Customization
          • Error Codes
          • Node and HTML
          • Vanilla JS and REST API Integration
        • Android
          • Kotlin with Node Backend
          • Customization
          • Features
        • iOS
          • Swift with Node Backend
          • Customization
          • Features
        • React Native
          • React Native with Node Backend
          • Card Widget
          • Customization
        • Flutter
          • Flutter with Node Backend
          • Customization
        • Headless SDK
        • Server Setup
      • Click To Pay
        • Visa Click to Pay: V1 to V2 Migration
      • Payment Methods Management
    • Payment Operations
      • Managing Accounts and Profiles
        • ⚙️Control Centre Account setup
        • Hyperswitch Account Structure
      • Manage Your Team
      • Analytics & operations
        • Exporting payments data
      • Disputes / Chargebacks
      • Surcharge
        • Surcharge Setup guide
      • Multi-Tenancy
      • Data migration
        • Import data to Hyperswitch
        • Export data from Hyperswitch
    • Security and Compliance
      • PCI Compliance
      • Data Security
      • GDPR compliance
      • Identity and Access Management
    • E-commerce Platform Plugins by Hyperswitch
      • 🔌WooCommerce Plugin
        • Setup
        • Roadmap
        • Compatibility
        • FAQs
      • Saleor App
        • Setup
      • Automatic Tax calculation for Express Checkout wallets
  • Hyperswitch open source
    • Overview
      • Run Hyperswitch Locally Using Docker
        • Run Additional Services
      • Development Environment Setup
        • Backend
          • Configure and Run the Application
          • Try out APIs
        • SDK (Frontend)
        • Control Center
    • Deploy on AWS
      • Deploy on AWS using CloudFormation
      • Component-wise Deployment
        • Deploy app server
        • Deploy Control Center
        • Deploy web client
          • Production ready deployment
          • Integrate web client on your web app
          • Playground deployment for prototyping (optional)
        • Deploy Card Vault
          • Production ready deployment on AWS
          • Cloud setup guide
    • Deploy on Kubernetes
      • Deploy on GCP Using Helm Charts
      • Deploy on Azure Using Helm Charts
    • Exploration Guide
    • Account setup
      • Using Hyperswitch Control Center
      • Test a payment
      • Using postman
    • Troubleshooting
  • Testing Payments
  • Check list for Production
    • Going live
      • For SaaS Setup
      • For On-Prem Setup
        • Monitoring
        • PCI compliance
          • Get started
          • Completing the SAQ
        • Data Security
        • Updates
  • Learn more
    • API Reference
    • Connectors Supported
    • SDK Reference
      • React
      • JS
      • Custom Events
    • Hyperswitch architecture
      • Router
      • Storage
      • A Payments Switch with virtually zero overhead
    • Payment flows
    • Blog
  • Community Guidelines
Powered by GitBook

Compliance

  • Vulnerability Disclosure
  • PCI DSS 4.0
  • ISO 27001:2022

Community

  • Slack
  • Discord
  • GitHub Discussion
On this page
  • Level of PCI compliance
  • About PCI Requirements and Controls
  • Simplifying your PCI compliance
  • Self assess your business for PCI compliance
  • Requirement 9
  • Requirement 3
  • Next step:

Was this helpful?

  1. Check list for Production
  2. Going live
  3. For On-Prem Setup
  4. PCI compliance

Get started

Demystifying PCI compliance and it's requirements

Last updated 8 months ago

Was this helpful?

In this chapter, we will look at the levels of PCI compliance, key requirements and we will understand why it is not as complex as it seems to be to obtain PCI compliance.

Businesses subject to PCI-DSS must annually demonstrate compliance with the regulation. And PCI-DSS lays out two ways of doing so:

  1. Self-Assessment Questionnaire (SAQ): This is an audit or assessment which can be completed by a business without a independent third-party Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA). The person responsible for the payment infrastructure fills out the SAQ. This could be the stakeholder who is the closest to your payment infrastructure - your Dev Ops Manager, or Information Security Officer, or CTO.

  2. Report on Compliance (ROC): An independent third-party QSA or ISA certified by the PCI-SSC will have to perform the audit and share the findings.

Hyperswitch's PCI Attestation of Compliance can be found in the Hyperswitch Dashboard. To locate -> Go to Settings -> Compliance

Companies that fall into PCI DSS Levels 2-4 are only required to complete a Self-Assessment Questionnaire (SAQ) and submit to the respective payment processor or acquirer. And that would be all !!

Level of PCI compliance

Depending on the number of transactions your business processes, you could be subject to different levels of PCI compliance.

Parameter
PCI Level 1
PCI Level 2
PCI Level 3
PCI Level 4

Number of card transactions

Over 6 million

6 million to 1 million

1 million to 20,000

Less than 20,000

Compliance Report

Report on Compliance (ROC)

Self Assessment Questionnaire (SAQ)

Self Assessment Questionnaire (SAQ)

Self Assessment Questionnaire (SAQ)

Assessment type

Independent QSA or ISA

Self assessment

Self assessment

Self assessment

Quarterly network scan by approve QSA

Applicable

Applicable

Applicable

Applicable

About PCI Requirements and Controls

In general PCI compliance is consolidated into 12 Requirements and 224 controls.

Requirements
Number of Controls

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

20

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

12

Requirement 3: Protect stored cardholder data

20

Requirement 4: Encrypt transmission of cardholder data across open, public networks

4

Requirement 5: Use and regularly update anti-virus software or programs

6

Requirement 6: Develop and maintain secure systems and applications

28

Requirement 7: Restrict access to cardholder data by business need to know

8

Requirement 8: Assign a unique ID to each person with computer access

22

Requirement 9: Restrict physical access to cardholder data

22

Requirement 10: Track and monitor all access to network resources and cardholder data

28

Requirement 11: Regularly test security systems and processes

16

Requirement 12: Maintain a policy that addresses information security for all personnel

38

Total

224

Simplifying your PCI compliance

Self assess your business for PCI compliance

Requirement 9

Lets assume all your software systems are cloud native and do not depend upon on-premise servers. In such case your staff will not be able to physically access any cardholder data and hence your business is exempted from Requirement 9.

That is one PCI Requirement less for your business and 22 controls automatically exempted.

Requirement 3

If you choose not to store card holder data on your servers, you will be exmepted from Requirement 3.

So eventually you are left with 10 PCI Requirements and 182 controls to comply with.

This is the reason behind our recommendation of installing a simple setup without the card vault, if your business processes less than 6 million card transactions

Next step:

Sources: , , .

If you are an online business processing less than 6 million card transactions a month, all that you will have to do is a self assessment of PCI compliance as per .

Mastercard guidelines
Visa Guidelines
PCI SSC document library
SAQ D
Completing the SAQ