PCI Compliance
How CevGate helps protect cardholder data
1. What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements established by the major card networks — Visa, Mastercard, American Express, Discover, and JCB — to protect cardholder data. Any business that accepts, processes, stores, or transmits credit card information is required to comply with PCI DSS.
PCI DSS compliance is not optional. Failure to comply can result in fines from card networks, increased processing fees, or the inability to accept card payments altogether.
Compliance Levels
PCI DSS defines several Self-Assessment Questionnaires (SAQs) based on how a business handles cardholder data:
- SAQ A — For merchants that fully outsource all cardholder data functions to a validated third party. No electronic storage, processing, or transmission of cardholder data on the merchant's systems. Typically fewer than 25 questions.
- SAQ A-EP — For e-commerce merchants that partially outsource payment processing but whose website may impact the security of the payment transaction. Approximately 140 questions.
- SAQ D — For merchants that store, process, or transmit cardholder data on their own systems. This is the most comprehensive questionnaire, with over 300 requirements.
The type of SAQ a merchant must complete depends entirely on how cardholder data is handled in their payment flow.
2. How CevGate Simplifies PCI Compliance
CevGate is a payment technology provider — not a payment processor. CevGate provides a hosted checkout page where your customers enter their payment information (card number, CVV, expiration date). This cardholder data is transmitted directly from CevGate's hosted page to the applicable Payment Processor. At no point does the cardholder data pass through or reside on your servers.
Because the hosted checkout page is served by CevGate and card data is transmitted directly to the Payment Processor, cardholder data never touches your systems. This architecture is designed to help merchants qualify for PCI DSS SAQ A — the simplest self-assessment questionnaire available.
SAQ A vs. SAQ D: The Difference Matters
| SAQ A | SAQ D | |
|---|---|---|
| Number of requirements | ~22 | 300+ |
| Card data on your servers | No | Yes |
| Typical completion time | Hours | Weeks to months |
| Requires network vulnerability scans | No | Yes |
By using CevGate's hosted checkout, merchants can significantly reduce their PCI compliance scope and the associated time, cost, and complexity.
3. CevGate's Security Measures
CevGate implements commercially reasonable security measures designed to help protect cardholder data and maintain the integrity of the payment flow. These measures include:
- TLS 1.2+ encryption — All data transmitted between your customers, CevGate's hosted checkout page, and the Payment Processor is encrypted in transit using TLS 1.2 or higher.
- AES-256 encryption at rest — Sensitive data stored on CevGate's systems (such as merchant account information) is encrypted using AES-256 encryption.
- Tokenized card references — CevGate does not store raw card numbers. Where card references are needed (e.g., for recurring billing), CevGate uses tokenized references provided by the Payment Processor.
- Access controls — CevGate restricts access to systems and data on a need-to-know basis, with role-based access controls and multi-factor authentication for internal systems.
- Audit logging — CevGate maintains logs of access to systems and sensitive data for monitoring and incident response purposes.
- Regular security assessments — CevGate conducts periodic security reviews and assessments of its infrastructure and application code.
Important: These security measures are provided on a commercially reasonable basis and are described for informational purposes. Consistent with Section 9 of the Terms of Service, CevGate's services and security measures are provided "as is" without warranty of any kind. No security measure can eliminate all risk, and CevGate does not warrant that its systems are impervious to breach or attack.
4. Merchant Responsibilities
While CevGate's hosted checkout architecture is designed to reduce your PCI compliance burden, merchants retain certain responsibilities for maintaining a secure environment:
- Account credentials — You are responsible for keeping your CevGate login credentials secure and not sharing them with unauthorized individuals.
- API key protection — If you use CevGate's API, you must protect your API keys and secrets. Do not expose them in client-side code, public repositories, or unsecured files.
- No storage of raw card data — You must not store, log, or record full credit card numbers, CVV codes, or other sensitive authentication data on your own systems. If you intercept or capture this data outside of CevGate's hosted checkout flow, you assume full responsibility for PCI compliance obligations that may arise.
- Secure systems — You are responsible for maintaining the security of any systems, websites, or applications that interact with the CevGate Platform, including keeping software up to date and applying security patches.
- SAQ A self-assessment — If required by your Payment Processor, you are responsible for completing your own SAQ A self-assessment questionnaire. CevGate does not complete PCI self-assessments on behalf of merchants.
5. What CevGate Does NOT Do
To set clear expectations, CevGate wants merchants to understand the following limitations:
- CevGate does not store full credit card numbers. Card data entered on the hosted checkout page is transmitted directly to the Payment Processor. CevGate retains only tokenized references and truncated card identifiers (e.g., last four digits) for transaction records.
- CevGate does not guarantee PCI compliance. PCI DSS compliance is the responsibility of each individual merchant. While CevGate's hosted checkout architecture is designed to help merchants qualify for SAQ A, CevGate cannot and does not certify or guarantee any merchant's compliance status.
- CevGate's security measures are provided "as is." Consistent with the Terms of Service, all services — including security features — are provided without warranty of any kind, whether express or implied. CevGate disclaims all warranties including warranties of merchantability, fitness for a particular purpose, and non-infringement.
- CevGate is not a Qualified Security Assessor (QSA). CevGate is a technology provider. Nothing on this page or elsewhere on the CevGate website constitutes security advice, legal advice, or a PCI compliance assessment. Merchants should consult with a qualified PCI QSA or their Payment Processor if they have questions about their specific compliance obligations.
6. Contact
If you have questions about CevGate's security practices or need more information about how CevGate's hosted checkout page works in relation to PCI compliance, please contact us:
Email: support@cevgate.com
This page is provided for informational purposes only and does not constitute legal, regulatory, or compliance advice. Merchants are solely responsible for their own PCI DSS compliance. Please refer to the Terms of Service for the complete terms governing your use of the CevGate Platform.