Security & PCI DSS Compliance
PebblePay is committed to protecting cardholder data through industry-leading security practices and PCI DSS compliance.
PCI DSS SAQ-D Compliant
PebblePay is validated as PCI DSS SAQ-D compliant. We securely process and transmit cardholder data to our payment gateway using industry-standard encryption and tokenization. We never store full card numbers (PAN), CVV/CVC codes, or sensitive authentication data. All card data is encrypted and tokenized during transmission - we only retain masked card data (last 4 digits) and payment tokens.
What is SAQ-D?
Self-Assessment Questionnaire D (SAQ-D) is the most comprehensive PCI DSS validation for merchants who process cardholder data through their systems. This applies to PebblePay because we transmit encrypted card data to our payment gateway during checkout processing.
Process & Transmit Only
Card data passes through our secure servers encrypted and is immediately transmitted to the payment gateway. Data is never written to disk.
Zero Storage Policy
We never store PANs, CVVs, expiry dates, or any sensitive authentication data. Only tokenized references and masked data (last 4 digits) are retained.
Encryption & Tokenization
All card data is encrypted with TLS 1.3 in transit and tokenized by the payment gateway before any storage.
How We Protect Cardholder Data
Data Transmission Security
- All card data is transmitted over TLS 1.3 encrypted connections
- Card data is collected only on PebblePay-hosted checkout pages
- Origin validation prevents unauthorized card data submissions
Data Handling (SAQ-D - Process/Transmit Only)
- Card data collected via secure HTTPS forms and immediately encrypted
- Encrypted card data transmitted directly to payment gateway - never written to disk or logs
- Full card numbers (PAN) and CVV/CVC codes are NEVER stored in any form
- Only tokenized references and masked data (last 4 digits, card brand) retained post-transaction
- Payment gateway is PCI DSS Level 1 certified - handles all sensitive data
3D Secure Authentication
- 3D Secure 2.0 (3DS2) is supported for enhanced cardholder authentication
- Provides additional fraud protection and liability shift
- Meets Strong Customer Authentication (SCA) requirements for PSD2
Seller Integration Security
Approved Integration Methods
PebblePay provides three secure integration methods that ensure card data is processed through our PCI-compliant environment:
Redirect Checkout
Customers are redirected to PebblePay's hosted checkout page
Popup/Modal Checkout
PebblePay checkout opens in a secure popup on the seller's site
Embedded iFrame
PebblePay checkout embedded as an iframe widget on the seller's page
Prohibited: Direct Card Collection
Sellers are strictly prohibited from collecting card data directly on their own websites. Our API enforces this by rejecting any card data submissions from non-PebblePay domains.
This restriction protects both sellers and their customers by ensuring all card data is handled within PebblePay's PCI-compliant environment.
Additional Security Measures
Access Controls
- Role-based access control (RBAC)
- Multi-factor authentication for admin access
- API key authentication for seller integrations
- Automatic session timeouts
Monitoring & Detection
- Real-time fraud detection scoring
- Velocity checks and rate limiting
- AVS and CVV verification
- Anomaly detection for suspicious patterns
Infrastructure Security
- Encrypted data at rest and in transit
- Regular security audits and penetration testing
- DDoS protection and WAF
- Secure development lifecycle (SDLC)
Incident Response
- 24/7 security monitoring
- Documented incident response procedures
- Breach notification within 72 hours
- Regular disaster recovery testing
PCI DSS Compliance Requirements
| Requirement | Description | Status |
|---|---|---|
| 1 | Install and maintain network security controls | |
| 2 | Apply secure configurations to all system components | |
| 3 | Protect stored account data | |
| 4 | Protect cardholder data with strong cryptography during transmission | |
| 5 | Protect all systems and networks from malicious software | |
| 6 | Develop and maintain secure systems and software | |
| 7 | Restrict access to system components by business need-to-know | |
| 8 | Identify users and authenticate access to system components | |
| 9 | Restrict physical access to cardholder data | |
| 10 | Log and monitor all access to system components and cardholder data | |
| 11 | Test security of systems and networks regularly | |
| 12 | Support information security with organizational policies and programs |
Security Questions?
If you have questions about our security practices or need our PCI DSS Attestation of Compliance (AOC), please contact our security team.
security@pebblepay.io