Certification
Compliance Requirements for Certification
PCI and NACHA compliance requirements you must meet before going live.
Completing Cresora certification requires demonstrating compliance with relevant payment industry standards.
PCI DSS
You must complete a PCI Self-Assessment Questionnaire (SAQ) appropriate to your integration type:
| Integration | SAQ type |
|---|---|
| HPP only | SAQ A |
| Cresora.js tokenization | SAQ A-EP |
| API Direct (card data on server) | SAQ D |
Submit your completed SAQ with your certification evidence.
🔒PCI DSS requirement
Your SAQ must be current (within the past 12 months) and signed. Cresora cannot issue live keys without a completed SAQ.
NACHA (if using ACH)
If your integration processes ACH payments, you must confirm:
- NACHA-compliant authorization language displayed before collecting bank account details
- Authorization records retained for 2 years after the last ACH entry
- R10 return handling implemented (stop all retries immediately)
- Reg E re-notification flow implemented (for recurring ACH plans)
See ACH Authorization Language → for the required authorization text.
Compliance documentation to submit
| Document | Required for |
|---|---|
| Completed PCI SAQ | All partners |
| NACHA authorization language screenshot | ACH integrations |
| R10 handling flow diagram or code | ACH integrations |
| Security architecture diagram | SAQ D partners |