Compliance
Compliance
PCI, HIPAA, NACHA, and ACH authorization requirements for Cresora integrations.
Cresora is designed for compliance-first integrations. This section covers your obligations as a Partner integrating the platform.
Standards covered
| Standard | Cresora posture |
|---|---|
| PCI DSS | Cresora is a PCI DSS Level 1 service provider. Using HPP or tokenization reduces your scope to SAQ A. |
| HIPAA | Cresora is HIPAA-aware for healthcare ISVs. See HIPAA guide →. |
| NACHA | ACH processing follows NACHA operating rules. See NACHA guide →. |
PCI scope by integration type
| Integration | PCI SAQ |
|---|---|
| HPP (hosted payment page) | SAQ A |
| Tokenization (Cresora.js) | SAQ A-EP |
| API Direct (server-side card processing) | SAQ D |
🔒Compliance requirement
You must complete a PCI SAQ appropriate to your integration type before going live. Provide your SAQ completion evidence during Cresora certification.