Do I need to be PCI compliant?

Anyone involved in the processing, transmission or storage of credit card data must comply with the Payment Card Industry Data Security Standards (PCI DSS). The latest version of these standards, PCI DSS 3.0, adds new requirements for partners that vary based on how their application integrates with WePay. All WePay partners, including those using an Embedded Checkout need to be compliant. Here’s how to do so:


Checkout through WePay’s Embedded Checkout

Partners using Embedded Checkout will generally be required to fill out the SAQ-A, which is the simplest of the Self Assessment Questionnaires. This is because all of the credit card data is managed on WePay served iFrames.


Tokenization through WePay’s Custom Checkout

You are using tokenization if you collect credit card data on a webpage you serve, then use WePay’s javascript library to send the field values directly to WePay. Partners doing tokenization with Custom Checkout will generally be required to fill out the newly introduced and longer SAQ-EP and perform quarterly scans. This is because the PCI Council believes that attacks on custom UX integrations can be much harder for users to notice, thereby impacting many more people, than a compromise involving iFrames.


For more information, visit:


Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request


Powered by Zendesk