PaySimple takes security very seriously to ensure the protection of your organization’s and your clients’ sensitive information. PaySimple is a [Level 1 PCI DSS certified service provider](🔗) and encrypts account information once submitted. To extend this level of security, the PaySimple APIs only allow communications over [HTTPS, utilizing SSL/TLS](🔗), and only allows authorized requests.
**As of June 30 2018, PaySimple only supports TLS 1.2 and above.**
## Reducing PCI Scope
Embedding [PMT Library](🔗) into your website to handle all credit card processing keeps your website out of PCI scope.
It works by creating an iFrame on your website that points to our PCI-compliant environment which allows your users to enter their cardholder data in a secure way. PMT provides an API that allows you to communicate with the iFrame so that you can control when to vault the cardholder data and what to do with the Payment Method Token that is returned.
## Cardholder Data Tokenization
**PaySimple uses a two-step process to accept a card payment, with client-side and server-side actions:**
From your web application running in a user’s browser, PaySimple securely collects payment information and returns a representative Payment Method Token. This is accomplished via PMT. This token, along with any other form data you wish to include, is then submitted by the browser to your Server.
Using the token, your server-side code makes a request to the PaySimple Payments API to create a charge and complete the payment. Tokenization ensures that no cardholder data ever touches your servers, which keeps these servers out of scope for PCI compliance.
You can also create your own form that submits payment information to your server, which then passes it through to the PaySimple API, but this increases your PCI burden as noted below.
## PCI Compliance
As a merchant who accepts credit and debit card payments you are responsible for securely storing, processing, and transmitting cardholder data. Part of this responsibility includes certifying PCI Compliance annually. To certify compliance, most merchants (except extremely large ones) must complete a Self-Assessment Questionnaire (SAQ) and provide an Attestation of Compliance (AOC).
The size of your business, the number and type of transactions you complete each year, and the methods you use to process transactions determine the level of compliance you must maintain and the complexity of the SAQ you must complete. One way to minimize the PCI Certification requirements that your company must address is to outsource all of your payment processing to a PCI Certified third party such as PaySimple so that your company systems are not utilized to store, process, or transmit cardholder data.
Utilizing PMT as part of your website checkout flow allows your customers to enter their credit card information in an iFrame hosted and secured by PaySimple. This gives you the ability to fully control the look, feel, and customer experience on your own website, while also keeping your systems out of scope for PCI Compliance. To learn more about how third party iFrames can be used to minimize PCI scope, read the [PCI DSS Information Supplement: Best Practices for Securing E-commerce](🔗).
If all of your credit card processing is done utilizing PMT, and you process fewer than 20,000 transactions per year, you will qualify to complete the relatively short and simple SAQ-A to certify your company’s PCI compliance. As part of the [SAQ-A](🔗), you should identify PaySimple as the PCI Compliant third party to which you outsource all of your payment processing.
If you also process transactions in other ways (such as swipe transactions using a PaySimple Mobile App), you may have different PCI requirements. Merchants who use their own servers to capture and transmit payment information have a significantly higher burden for PCI Compliance and must complete the complicated and lengthy [SAQ-D](🔗).
PCI Compliance is a complex subject. A great resource for learning more is the [PCI Security Standards Council website](🔗). The [Payment Protection Resources for Small Merchants](🔗) section is a great place to start.
Remember that PaySimple’s [Terms](🔗) and [Acceptable Use Policy](🔗) make you responsible for ensuring your company’s PCI Compliance.