Anyone involved in the processing, transmitting, or storing of credit card data must comply with the Payment Card Industry Data Security Standards (PCI DSS). All WePay partners, including those using an Embedded Checkout, need to be compliant. Here is a general guideline of how to ensure compliance:
Partners using Embedded Checkout will generally be required to fill out the SAQ-A, which is the simplest of the Self Assessment Questionnaires. Since all of the credit card data is managed on WePay served iFrames, as opposed to your own server, only the lowest grade of PCI Compliance is required.
Custom Checkout - Tokenization
Partners doing tokenization with Custom Checkout will generally be required to fill out the SAQ-EP and perform quarterly scans. This is because the PCI Council believes that attacks on custom UX integrations can be much harder for users to notice, thereby impacting many more people, than a compromise involving iFrames.
All PCI Compliance paperwork should be kept for your own records and for use in audits. While these are general guidelines, you are responsible for maintaining PCI Compliance. For more information, visit: