PCI DSS Overview
PCI DSS requirements and how Cresora helps you maintain compliance.
Payment Card Industry Data Security Standard (PCI DSS) applies to any organization that stores, processes, or transmits cardholder data. Cresora is a PCI DSS Level 1 service provider, the highest certification level.
Your PCI scope
Your PCI scope depends on which Cresora integration method you use:
| Integration | SAQ type | Scope |
|---|---|---|
| HPP (hosted payment page) | SAQ A | Lowest — Cresora handles all card data |
| Cresora.js tokenization | SAQ A-EP | Low — card data flows through your frontend but not your server |
| API Direct | SAQ D | Highest — card data flows through your server |
Whenever possible, use the HPP integration (SAQ A) or Cresora.js tokenization (SAQ A-EP) to minimize your PCI scope. API Direct integration requires a full PCI DSS assessment.
What Cresora handles
As a Level 1 service provider, Cresora:
- Stores card data in a PCI-compliant environment
- Transmits all cardholder data over TLS 1.2+
- Maintains its own annual PCI assessment
- Provides you with its Attestation of Compliance (AoC) on request
Your responsibilities
Even with Cresora handling card storage and processing, you are responsible for:
- Completing your annual SAQ (appropriate to your integration type)
- Ensuring your servers and systems meet baseline security requirements
- Not logging cardholder data (card numbers, CVV, full magnetic stripe)
- Maintaining secure coding practices
- Training staff on cardholder data handling
Getting Cresora's AoC
Request Cresora's Attestation of Compliance for your records via the Partner Portal under Compliance → Cresora Compliance Documents.