PCI-DSS compliance

Ensure PCI-DSS compliance effortlessly with Recurly. Prioritizing top-notch security with PCI-DSS Level 1 standards, we offer flexible solutions like hosted payment pages, Recurly.js, and API integrations, streamlining your business's path to safeguarding credit card transactions and consumer data.


Required plan

This feature or setting is available to all customers on any Recurly subscription plan.


PCI-DSS provides a security framework to protect credit card transactions and consumer data. Complying with this standard is mandatory for any business that handles payment card information.

Key benefits

  • Simplified compliance process: With Recurly, PCI-DSS compliance is straightforward. Use our hosted payment pages or Recurly.js to accept credit card payments securely and meet compliance requirements with ease.
  • Enhanced security: We prioritize security. With our PCI-DSS Level 1 compliance, we meet and exceed industry-standard payment security practices, providing you with a safe environment for your transactions.
  • Flexible solutions: Whether you opt for our hosted payment pages, use the Recurly.js library, or use our API, we offer solutions tailored to your business's needs, facilitating your path to PCI-DSS compliance.

Key details

PCI compliance for merchants

If you accept online credit card payment, you must ensure your business operations are PCI-DSS compliant. If you are using Recurly.js V4 or later, or Recurly Hosted Payment Pages, it is recommended that you complete Self-Assessment Questionnaire A (SAQ-A). If card data passes through your servers, Self-Assessment Questionnaires C or D (SAQ-C, SAQ-D) are recommended.

Note: Please note that the above recommendations are intended as a general guide, and may not apply to all specific business circumstances. The exact Self-Assessment Questionnaire (SAQ) that you will need to fill out is dependent on the specifics of your business operations and the requirements of your merchant bank. For a definitive determination, we strongly recommend consulting directly with your merchant bank or a qualified PCI-DSS assessor.

Hosted payment pages

This feature offers merchants the ability to accept subscriptions while reducing their PCI compliance scope. Since customers' cardholder data is sent directly to Recurly and never passes through the merchant's environment, this qualifies merchants for the simplest PCI compliance level - SAQ-A.


This is Recurly's open-source Javascript library designed to create secure, customizable order forms. Using Recurly.js ensures that cardholder data goes directly from the customer's browser to Recurly, without passing through your servers, which limits your PCI scope.


Merchants using Recurly's API to submit cardholder data qualify for the SAQ C questionnaire. This applies when cardholder data passes through your hosting environment, which places your systems within the PCI compliance scope.

PCI Compliance Best Practices

Ensuring secure transactions isn't just about compliance with industry standards; it's about the responsibility towards your customers and their sensitive data. When it comes to PCI-DSS compliance, here are some best practices that every merchant should follow:

  1. Secure transmission: Always host web pages that receive credit card information over TLS (Transport Layer Security). This provides a secure channel for data transmission, ensuring that cardholder data is not exposed during transmission. It's important to note that not your entire application needs to be served over TLS - only the pages that handle credit card data.
  2. Don't log sensitive data: Avoid logging any sensitive credit card data, including the full credit card number or the verification value (CVV/CVC). Many web applications inadvertently expose credit card data through their log files rather than the database.
  3. Don't store unnecessary data: Never store sensitive credit card data such as the full credit card number or the verification value (CVV/CVC). While you are permitted to store the first six and last four digits of the credit card number, any unnecessary cardholder data (like billing address, expiration date, etc.) should not be stored if it's not required.
  4. Guard against cross-site scripting attacks: Protecting your customers also means keeping your site safe from cross-site scripting (XSS) attacks. XSS attacks inject malicious scripts into trusted websites and can be used by attackers to bypass access controls or defraud your users.

By following these best practices, you're not only complying with PCI-DSS standards but also creating a secure environment that builds trust with your customers. Remember that compliance is not a one-time activity, but a continuous effort to protect your customers' data.


Q: Where can I find more information about PCI-DSS Compliance?

A: For a detailed guide, you can visit the PCI Security Standards site. The Understanding SAQs for PCI DSS v3 Guide available on the site can be particularly helpful.

Q: What is Recurly's PCI-DSS compliance level?

A: Recurly is PCI-DSS Level 1 compliant as a merchant service provider. Security is a top priority for Recurly, and we strive to meet and exceed all industry-standard payment security practices to protect our customers

Q: Can Recurly provide qualified security assessment (QSA)?

A: Although Recurly is PCI-DSS Level 1 compliant, we are not a qualified security assessor (QSA). The information we provide is intended to be helpful but comes without warranty. If you have specific questions about PCI Compliance, we recommend contacting a QSA.

Q: How does Recurly help with PCI Compliance?

A: Recurly assists with PCI compliance by providing secure processing methods like Recurly.js, API, and hosted payment pages. This ensures that sensitive cardholder data never passes through your servers, thus reducing your PCI scope. Remember that your merchant bank account provider will require you to be PCI compliant, regardless of the integration method you choose with Recurly.

Q: How can I ensure the best practices for PCI Compliance on my site?

A: To adhere to PCI Compliance best practices, you should host any webpages receiving credit card information on TLS, never log or store any sensitive credit card data, and protect your site from cross-site scripting attacks. These steps help to create a more secure environment for transactions and limit the risk of data breaches.