PCI Compliance Requirements for Direct Card Tokenization
Requirements merchants must meet to directly tokenize raw card data (PAN & CVV) with Coinflow.
PCI Compliance Requirements for Direct Tokenization
Merchants must meet PCI DSS requirements if they wish to directly transmit raw card data (PAN and CVV) to Coinflow’s tokenization API.
If these requirements are not met, merchants must use Coinflow’s tokenization components instead.
Terms
- AOC — Attestation of Compliance
- SAQ — Self-Assessment Questionnaire
All submitted documentation must be PCI DSS v4.0.0 or above, and the AOC/SAQ report date must be less than 1 year old.
Merchant Requirements
1. Merchant Does NOT Use a Tokenization Provider
- Provide PCI DSS SAQ D
- Include AOC signed by a company representative
- QSA attestation is optional but preferred
2. Merchant Uses a Tokenization Provider AND Uses Their Hosted Card Input Forms
- Tokenization provider must have a PCI Level 1 Service Provider AOC signed by a QSA
- Merchant must provide PCI SAQ A
- Merchant must confirm use of the provider’s hosted card input forms
3. Merchant Uses a Tokenization Provider BUT Not Their Hosted Card Input Forms
- Tokenization provider must have a PCI Level 1 Service Provider AOC signed by a QSA
- Merchant must provide PCI SAQ A-EP
- Merchant must confirm card data flows directly from browser → provider, not through their backend
Service Provider Requirements
A service provider is any business that can affect the security of a merchant’s cardholder data environment (CDE), even if it does not store or transmit card data directly.
- Must provide a PCI Level 1 Service Provider AOC, signed by a QSA
- Report must be < 1 year old
- SAQs are not accepted for service provider attestation
