For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
RegisterLoginSandbox Login
GuidesRecipesAPI Reference
GuidesRecipesAPI Reference
  • Getting Started
    • Getting Started with Checkout
    • ACH Checkout
    • Card Checkout with Credits
    • Card Checkout
    • Direct USDC Settlement
    • Fiat/Crypto Pay-ins
    • Secure Marketplace Checkout
    • EVM Checkout
    • How to Enable Checkout with Credit Cards
    • Quick Start Marketplace Implementation
    • Payouts
    • Common FAQs
  • Checkout
    • Settlement Locations
      • PCI Compliance
    • Checkout Webhooks
  • Payouts
    • Payout Overview
    • What is a Payout
  • Subscriptions
    • Subscriptions Overview
  • Marketplaces
    • Marketplace Overview
    • How Marketplaces Work
    • How to Withdraw USDC
    • Countries Eligible for USDC Withdraw
    • Marketplaces Webhooks
    • Marketplaces Implementation
  • Developer Resources
    • Custom Branding
    • Checkout Implementation
    • Webhooks
  • Merchant Dashboard
    • Login & Account Access
    • Users and Roles
    • Rate Limits
    • Developer Contact
LogoLogo
RegisterLoginSandbox Login
On this page
  • PCI Compliance Requirements for Direct Tokenization
  • Terms
  • Merchant Requirements
  • 1. Merchant Does NOT Use a Tokenization Provider
  • 2. Merchant Uses a Tokenization Provider AND Uses Their Hosted Card Input Forms
  • 3. Merchant Uses a Tokenization Provider BUT Not Their Hosted Card Input Forms
  • Service Provider Requirements
  • Summary Table
CheckoutPayment Security & Risk Management

PCI Compliance Requirements for Direct Card Tokenization

Requirements merchants must meet to directly tokenize raw card data (PAN & CVV) with Coinflow.

Was this page helpful?
Previous

Testing Credit Card Purchases

Developers can use this documentation to test various credit card scenarios.
Next
Built with

PCI Compliance Requirements for Direct Tokenization

Merchants must meet PCI DSS requirements if they wish to directly transmit raw card data (PAN and CVV) to Coinflow’s tokenization API.
If these requirements are not met, merchants must use Coinflow’s tokenization components instead.

Terms

  • AOC — Attestation of Compliance
  • SAQ — Self-Assessment Questionnaire

All submitted documentation must be PCI DSS v4.0.0 or above, and the AOC/SAQ report date must be less than 1 year old.

Merchant Requirements

1. Merchant Does NOT Use a Tokenization Provider

  • Provide PCI DSS SAQ D
  • Include AOC signed by a company representative
  • QSA attestation is optional but preferred

2. Merchant Uses a Tokenization Provider AND Uses Their Hosted Card Input Forms

  • Tokenization provider must have a PCI Level 1 Service Provider AOC signed by a QSA
  • Merchant must provide PCI SAQ A
  • Merchant must confirm use of the provider’s hosted card input forms

3. Merchant Uses a Tokenization Provider BUT Not Their Hosted Card Input Forms

  • Tokenization provider must have a PCI Level 1 Service Provider AOC signed by a QSA
  • Merchant must provide PCI SAQ A-EP
  • Merchant must confirm card data flows directly from browser → provider, not through their backend

Service Provider Requirements

A service provider is any business that can affect the security of a merchant’s cardholder data environment (CDE), even if it does not store or transmit card data directly.

  • Must provide a PCI Level 1 Service Provider AOC, signed by a QSA
  • Report must be < 1 year old
  • SAQs are not accepted for service provider attestation

Summary Table

ScenarioMerchant DocumentationTokenization Provider DocumentationQSA Required?
No tokenization providerSAQ D + AOCN/AOptional (preferred)
Uses provider + hosted formsSAQ AProvider Level 1 AOCQSA required for provider
Uses provider, not hosted formsSAQ A-EPProvider Level 1 AOCQSA required for provider
Service providerN/AProvider Level 1 AOCYes