Security and Compliance

PaySimple takes security very seriously to ensure the protection of your organization’s and your clients’ sensitive information. PaySimple is a Level 1 PCI DSS certified service provider and encrypts account information once submitted. To extend this level of security, the PaySimple APIs only allow communications over HTTPS, utilizing SSL/TLS, and only allows authorized requests.

🚧

As of June 30 2018, PaySimple only supports TLS 1.2 and above.

Reducing PCI Scope

Embedding PaySimpleJS into your website to handle all credit card processing, significantly reduces PCI scope by enabling you to process credit card transactions without storing, processing, or transmitting cardholder data in your environments.

It works by creating an iFrame on your website that points to our PCI-compliant environment which allows your users to enter their cardholder data in a secure way. PaySimpleJS provides an API that allows you to communicate with the iFrame so that you can control when to vault the cardholder data and what to do with the Checkout Token that is returned.

Cardholder Data Tokenization

PaySimple uses a two-step process to accept a card payment, with client-side and server-side actions:

From your web application running in a user’s browser (Checkout Page), PaySimple securely collects payment information and returns a representative Checkout Token. This is accomplished via PaySimpleJS. This token, along with any other form data you wish to include, is then submitted by the browser to your Server.

Using the token, your server-side code makes a request to the PaySimple API to create a charge and complete the payment. Tokenization ensures that no cardholder data ever touches your servers.

📘

You can also create your own form that submits payment information to your Merchant Server, which then passes it through to the PaySimple API, but this increases your PCI burden as noted below.

PCI Compliance

As a merchant who accepts credit and debit card payments you are responsible for securely storing, processing, and transmitting cardholder data. Part of this responsibility includes certifying PCI Compliance annually. To certify compliance, most merchants (except extremely large ones) must complete a Self-Assessment Questionnaire (SAQ) and provide an Attestation of Compliance (AOC).

The size of your business, the number and type of transactions you complete each year, and the methods you use to process transactions determine the level of compliance you must maintain and the complexity of the SAQ you must complete. One way to minimize the PCI Certification requirements that your company must address is to outsource all of your payment processing to a PCI Certified third party such as PaySimple so that your company systems are not utilized to store, process, or transmit cardholder data.

Utilizing PaySimpleJS as part of your website checkout flow allows your customers to enter their credit card information in an iFrame hosted and secured by PaySimple. This gives you the ability to fully control the look, feel, and customer experience on your own website, while also significantly limiting the components in your environment that are in scope for PCI Compliance to the webservers that host pages on which iFrames are implemented.

If all of your credit card processing is done utilizing PaySimpleJS, and you process fewer than 20,000 transactions per year, you will qualify to complete the relatively short and simple SAQ-A to certify your company’s PCI compliance. As part of the SAQ-A, you should identify PaySimple as the PCI Compliant third party to which you outsource all of your payment processing. You will also need to complete quarterly ASV scans on the web servers hosting all pages that contain PaySimple JS iFrames. Review the SAQ-A for detailed information about the elements of your environments that are in scope and the specific PCI compliance requirements for them.

If you also process transactions in other ways (such as swipe transactions using a PaySimple Mobile App), you may have different PCI requirements. Merchants who use their own servers to capture and transmit payment information have a significantly higher burden for PCI Compliance and must complete the complicated and lengthy SAQ-D.

NOTE FOR SERVICE PROVIDERS
If you are a service provider utilizing PaySimpleJS/iFrames to implement payment processing in your environments, you will need to complete a SAQ-D Service Provider in order to certify to your merchants that the payment processing pages you provide to them meet PCI Compliance requirements. Only sections in the SAQ-D Service Provider that are in scope for the merchant’s SAQ-A will apply to you. Please contact PaySimple Partner Support for more information about this new PCI 4.0 requirement.

PCI Compliance is a complex subject. A great resource for learning more is the PCI Security Standards Council website. The Payment Protection Resources for Small Merchants section is a great place to start.

Remember that PaySimple’s Terms and Acceptable Use Policy make you responsible for ensuring your company’s PCI Compliance.