{"__v":21,"_id":"5665e48b63109d0d0036ba5b","category":{"__v":2,"_id":"5665e47763109d0d0036ba5a","pages":["5665e48b63109d0d0036ba5b","5665e4a53889610d0008a302"],"project":"56450a342229d7170010928a","version":"56450a342229d7170010928d","sync":{"url":"","isSync":false},"reference":false,"createdAt":"2015-12-07T19:56:39.295Z","from_sync":false,"order":4,"slug":"security","title":"Security"},"parentDoc":null,"project":"56450a342229d7170010928a","user":"55648cf93b87582b003ab8b1","version":{"__v":9,"_id":"56450a342229d7170010928d","project":"56450a342229d7170010928a","createdAt":"2015-11-12T21:52:52.685Z","releaseDate":"2015-11-12T21:52:52.684Z","categories":["56450a352229d7170010928e","56450a472c74cf1900da48ca","565def2677f0090d005819bb","5665dfa0e93ae70d00b96a2a","5665e3db1b6559190020ae8c","5665e47763109d0d0036ba5a","5690123f18c3920d00be8b1c","56944016d8c04d1700e5ae20","569447891005590d0062cace"],"is_deprecated":false,"is_hidden":false,"is_beta":false,"is_stable":true,"codename":"","version_clean":"1.0.0","version":"1.0"},"updates":[],"createdAt":"2015-12-07T19:56:59.303Z","link_external":false,"link_url":"","githubsync":"","sync_unique":"","hidden":false,"api":{"results":{"codes":[]},"settings":"","auth":"required","params":[],"url":""},"isReference":false,"order":0,"body":"## PCI Compliance for Merchants\n\nA merchant must always be PCI compliant if they accept credit card payments online (even if the card is entered on another site). If using HPP, Recurly's recommendation is to complete SAQ A. If using HPP or Recurly.js (v4), Recurly's recommendation is to complete SAQ A. If you are using Recurly.js (any version earlier than v4) or Transparent Post, Recurly's recommendation is to complete SAQ A-EP. \n\nIf card data passes through a merchant's servers, Recurly recommends SAQ C or D. A merchant's bank will have the ultimate say for PCI compliance documentation and assessment requirements.\n\n### Hosted Payment Pages\n\nUsing our [hosted payment pages](/hosted-payment-pages.html) is the easiest way to start accepting subscriptions and reduce your PCI compliance scope. When you use Recurly's hosted payment pages, your customers' sensitive cardholder data is sent directly to Recurly. Their cardholder data never passes through your environment. As a merchant, this qualifies you for the simplest PCI compliance level.\n\nMerchants using Recurly's hosted payment pages qualify for the shortened [PCI DSS Self-Assessment Questionnaire A](https://www.pcisecuritystandards.org/documents/SAQ_A_v3.docx).\n\n### Recurly.js\n\n[Recurly.js](http://js.recurly.com) is our open-source Javascript library that gives you great looking credit card forms to securely create subscriptions, one-time transactions, and update billing information for your customers. The order forms are designed to be fully customized and hosted on your own servers. Like Transparent Post, the cardholder data passes directly from the customer's browser to Recurly. Because the cardholder data does not pass through your servers, your PCI scope is limited.\n\nMerchants using Recurly.js (v4) should be eligible to complete the shortened [PCI DSS Self-Assessment Questionnaire A](https://www.pcisecuritystandards.org/documents/SAQ_A_v3.docx).\n\nPlease note, your merchant bank account provider will still require you to be PCI compliant when using Recurly.js. This means using best practices to secure your servers and payment pages from being compromised with cross-site scripting on your payment page.\n\n**Regardless of your Recurly integration, your merchant bank account provider will still require you to be PCI compliant, so please be aware of the following updates to PCI DSS:**\n\n*The new version of PCI DSS, version 3.1, clarifies many compliance issues and introduces SAQ type A-EP. SAQ A may be completed by merchants linking to 3rd party payment pages (e.g. Recurly's Hosted Payment Pages) and SAQ A-EP may be completed by merchants hosting their payment page while using Recurly.js (v4) to secure the billing details. If merchants are hosting their payment page and using an earlier version of Recurly.js (v3 or earlier) to secure the billing details, they should complete SAQ A-EP.  Please see the [Understanding the SAQs for PCI v3](https://www.pcisecuritystandards.org/documents/Understanding_SAQs_PCI_DSS_v3.pdf) (pages 4 and 5) for more information.*\n\n### Transparent Post\n\nRecurly's [Transparent Post API](/docs/transparent-post) allows you to host your own payment pages with a limited PCI compliance scope. The transparent post API submits the sensitive cardholder data directly to Recurly from your customer's browser. Since the sensitive cardholder data never passes through your environment, you qualify for the simplest PCI compliance level. Using Recurly's Transparent Post API has the same complexity as Recurly's API.\n\nPlease note, your merchant bank account provider will still require you to be PCI compliant when using our Transparent Post API. This means using best practices to secure your servers and payment pages from being redirected to another server or compromised with cross-site scripting on your payment page. As long as your payment pages submit directly to Recurly, your network PCI scope will be dramatically limited when compared to using the API only.\n\nMerchants using Recurly's transparent post qualify for the shortened [PCI DSS Self-Assessment Questionnaire A-EP](https://www.pcisecuritystandards.org/documents/SAQ_A-EP_v3.docx).\n\n**Regardless of your Recurly integration, your merchant bank account provider will still require you to be PCI compliant, so please be aware of the following updates to PCI DSS:**\n\n*The new version of PCI DSS, version 3.1, clarifies many compliance issues and introduces SAQ type A-EP. It will serve as a replacement for SAQ type A, the preferred SAQ for a merchant that uses Recurly’s Transparent Post.*\n\n### API\n\nMerchants using Recurly's API to submit cardholder data qualify for the SAQ C questionnaire. When cardholder data passes through your hosting environment, even though you are not storing it, your systems fall within PCI compliance scope. Your merchant bank account provider will require you to complete the [PCI DSS Self-Assessment Questionnaire C](https://www.pcisecuritystandards.org/documents/SAQ_C_v3.docx).\n\n## PCI Best Practices\n\n* Host any webpages receiving credit card information on **SSL**.  Cardholder data should never be sent without SSL.  Please note, your entire app does not have to be served via SSL. The credit card pages are the only pages required to be transmitted via SSL.\n\n* Never **log** any sensitive credit card data (full credit card number or verification value (CVV/CVC)). Most web apps expose credit card data via their log files and not the database.\n\n* Never **store** any sensitive credit card data (full credit card number or verification value (CVV/CVC)). You may store the first six and last four digits of the credit card number. If there's cardholder data you do not need, then we suggest not storing it (billing address, expiration date, number, etc).\n\n* Protect your customers by keeping your site safe from [cross-site scripting](https://www.owasp.org/index.php/Cross_site_scripting) attacks.\n\n## Additional Notes\n\nFor more information, please see the [PCI Security Standards](https://www.pcisecuritystandards.org) site. Specifically, the [Understanding SAQs for PCI DSS v3 Guide](https://www.pcisecuritystandards.org/documents/Understanding_SAQs_PCI_DSS_v3.pdf) is very useful.\n\nPlease note: Recurly is PCI-DSS Level 1 compliant as a merchant service provider. We are not a qualified security assessor (QSA). The above information comes without warranty. If you have questions about PCI Compliance, we recommend contacting a [QSA](https://www.pcisecuritystandards.org/approved_companies_providers/qsa_companies.php).","excerpt":"[Payment Card Industry Data Security Standard](https://www.pcisecuritystandards.org) (PCI-DSS) provides a framework developing a robust security process for credit card transactions. Any merchant or service merchant provider accepting, transmitting, and/or storing cardholder data must be PCI compliant.\n\nRecurly is [PCI-DSS Level 1 compliant](http://www.visa.com/splisting/searchGrsp.do?companyNameCriteria=recurly) as a merchant service provider. [Security](http://recurly.com/security) is a top priority for Recurly. To that end, we meet and exceed all industry-standard payment security practices to protect you and your customers.","slug":"pci-dss-compliance","type":"basic","title":"PCI-DSS Compliance"}

PCI-DSS Compliance

[Payment Card Industry Data Security Standard](https://www.pcisecuritystandards.org) (PCI-DSS) provides a framework developing a robust security process for credit card transactions. Any merchant or service merchant provider accepting, transmitting, and/or storing cardholder data must be PCI compliant. Recurly is [PCI-DSS Level 1 compliant](http://www.visa.com/splisting/searchGrsp.do?companyNameCriteria=recurly) as a merchant service provider. [Security](http://recurly.com/security) is a top priority for Recurly. To that end, we meet and exceed all industry-standard payment security practices to protect you and your customers.

## PCI Compliance for Merchants A merchant must always be PCI compliant if they accept credit card payments online (even if the card is entered on another site). If using HPP, Recurly's recommendation is to complete SAQ A. If using HPP or Recurly.js (v4), Recurly's recommendation is to complete SAQ A. If you are using Recurly.js (any version earlier than v4) or Transparent Post, Recurly's recommendation is to complete SAQ A-EP. If card data passes through a merchant's servers, Recurly recommends SAQ C or D. A merchant's bank will have the ultimate say for PCI compliance documentation and assessment requirements. ### Hosted Payment Pages Using our [hosted payment pages](/hosted-payment-pages.html) is the easiest way to start accepting subscriptions and reduce your PCI compliance scope. When you use Recurly's hosted payment pages, your customers' sensitive cardholder data is sent directly to Recurly. Their cardholder data never passes through your environment. As a merchant, this qualifies you for the simplest PCI compliance level. Merchants using Recurly's hosted payment pages qualify for the shortened [PCI DSS Self-Assessment Questionnaire A](https://www.pcisecuritystandards.org/documents/SAQ_A_v3.docx). ### Recurly.js [Recurly.js](http://js.recurly.com) is our open-source Javascript library that gives you great looking credit card forms to securely create subscriptions, one-time transactions, and update billing information for your customers. The order forms are designed to be fully customized and hosted on your own servers. Like Transparent Post, the cardholder data passes directly from the customer's browser to Recurly. Because the cardholder data does not pass through your servers, your PCI scope is limited. Merchants using Recurly.js (v4) should be eligible to complete the shortened [PCI DSS Self-Assessment Questionnaire A](https://www.pcisecuritystandards.org/documents/SAQ_A_v3.docx). Please note, your merchant bank account provider will still require you to be PCI compliant when using Recurly.js. This means using best practices to secure your servers and payment pages from being compromised with cross-site scripting on your payment page. **Regardless of your Recurly integration, your merchant bank account provider will still require you to be PCI compliant, so please be aware of the following updates to PCI DSS:** *The new version of PCI DSS, version 3.1, clarifies many compliance issues and introduces SAQ type A-EP. SAQ A may be completed by merchants linking to 3rd party payment pages (e.g. Recurly's Hosted Payment Pages) and SAQ A-EP may be completed by merchants hosting their payment page while using Recurly.js (v4) to secure the billing details. If merchants are hosting their payment page and using an earlier version of Recurly.js (v3 or earlier) to secure the billing details, they should complete SAQ A-EP. Please see the [Understanding the SAQs for PCI v3](https://www.pcisecuritystandards.org/documents/Understanding_SAQs_PCI_DSS_v3.pdf) (pages 4 and 5) for more information.* ### Transparent Post Recurly's [Transparent Post API](/docs/transparent-post) allows you to host your own payment pages with a limited PCI compliance scope. The transparent post API submits the sensitive cardholder data directly to Recurly from your customer's browser. Since the sensitive cardholder data never passes through your environment, you qualify for the simplest PCI compliance level. Using Recurly's Transparent Post API has the same complexity as Recurly's API. Please note, your merchant bank account provider will still require you to be PCI compliant when using our Transparent Post API. This means using best practices to secure your servers and payment pages from being redirected to another server or compromised with cross-site scripting on your payment page. As long as your payment pages submit directly to Recurly, your network PCI scope will be dramatically limited when compared to using the API only. Merchants using Recurly's transparent post qualify for the shortened [PCI DSS Self-Assessment Questionnaire A-EP](https://www.pcisecuritystandards.org/documents/SAQ_A-EP_v3.docx). **Regardless of your Recurly integration, your merchant bank account provider will still require you to be PCI compliant, so please be aware of the following updates to PCI DSS:** *The new version of PCI DSS, version 3.1, clarifies many compliance issues and introduces SAQ type A-EP. It will serve as a replacement for SAQ type A, the preferred SAQ for a merchant that uses Recurly’s Transparent Post.* ### API Merchants using Recurly's API to submit cardholder data qualify for the SAQ C questionnaire. When cardholder data passes through your hosting environment, even though you are not storing it, your systems fall within PCI compliance scope. Your merchant bank account provider will require you to complete the [PCI DSS Self-Assessment Questionnaire C](https://www.pcisecuritystandards.org/documents/SAQ_C_v3.docx). ## PCI Best Practices * Host any webpages receiving credit card information on **SSL**. Cardholder data should never be sent without SSL. Please note, your entire app does not have to be served via SSL. The credit card pages are the only pages required to be transmitted via SSL. * Never **log** any sensitive credit card data (full credit card number or verification value (CVV/CVC)). Most web apps expose credit card data via their log files and not the database. * Never **store** any sensitive credit card data (full credit card number or verification value (CVV/CVC)). You may store the first six and last four digits of the credit card number. If there's cardholder data you do not need, then we suggest not storing it (billing address, expiration date, number, etc). * Protect your customers by keeping your site safe from [cross-site scripting](https://www.owasp.org/index.php/Cross_site_scripting) attacks. ## Additional Notes For more information, please see the [PCI Security Standards](https://www.pcisecuritystandards.org) site. Specifically, the [Understanding SAQs for PCI DSS v3 Guide](https://www.pcisecuritystandards.org/documents/Understanding_SAQs_PCI_DSS_v3.pdf) is very useful. Please note: Recurly is PCI-DSS Level 1 compliant as a merchant service provider. We are not a qualified security assessor (QSA). The above information comes without warranty. If you have questions about PCI Compliance, we recommend contacting a [QSA](https://www.pcisecuritystandards.org/approved_companies_providers/qsa_companies.php).