Back to home
Security

Security & PCI DSS Compliance

PebblePay is committed to protecting cardholder data through industry-leading security practices and PCI DSS compliance.

PCI
DSS

PCI DSS SAQ-D Compliant

PebblePay is validated as PCI DSS SAQ-D compliant. We securely process and transmit cardholder data to our payment gateway using industry-standard encryption and tokenization. We never store full card numbers (PAN), CVV/CVC codes, or sensitive authentication data. All card data is encrypted and tokenized during transmission - we only retain masked card data (last 4 digits) and payment tokens.

What is SAQ-D?

Self-Assessment Questionnaire D (SAQ-D) is the most comprehensive PCI DSS validation for merchants who process cardholder data through their systems. This applies to PebblePay because we transmit encrypted card data to our payment gateway during checkout processing.

Process & Transmit Only

Card data passes through our secure servers encrypted and is immediately transmitted to the payment gateway. Data is never written to disk.

Zero Storage Policy

We never store PANs, CVVs, expiry dates, or any sensitive authentication data. Only tokenized references and masked data (last 4 digits) are retained.

Encryption & Tokenization

All card data is encrypted with TLS 1.3 in transit and tokenized by the payment gateway before any storage.

How We Protect Cardholder Data

Data Transmission Security

  • All card data is transmitted over TLS 1.3 encrypted connections
  • Card data is collected only on PebblePay-hosted checkout pages
  • Origin validation prevents unauthorized card data submissions

Data Handling (SAQ-D - Process/Transmit Only)

  • Card data collected via secure HTTPS forms and immediately encrypted
  • Encrypted card data transmitted directly to payment gateway - never written to disk or logs
  • Full card numbers (PAN) and CVV/CVC codes are NEVER stored in any form
  • Only tokenized references and masked data (last 4 digits, card brand) retained post-transaction
  • Payment gateway is PCI DSS Level 1 certified - handles all sensitive data

3D Secure Authentication

  • 3D Secure 2.0 (3DS2) is supported for enhanced cardholder authentication
  • Provides additional fraud protection and liability shift
  • Meets Strong Customer Authentication (SCA) requirements for PSD2

Seller Integration Security

Approved Integration Methods

PebblePay provides three secure integration methods that ensure card data is processed through our PCI-compliant environment:

A
Redirect Checkout
Customers are redirected to PebblePay's hosted checkout page
B
Popup/Modal Checkout
PebblePay checkout opens in a secure popup on the seller's site
C
Embedded iFrame
PebblePay checkout embedded as an iframe widget on the seller's page

Prohibited: Direct Card Collection

Sellers are strictly prohibited from collecting card data directly on their own websites. Our API enforces this by rejecting any card data submissions from non-PebblePay domains. This restriction protects both sellers and their customers by ensuring all card data is handled within PebblePay's PCI-compliant environment.

Additional Security Measures

Access Controls

  • Role-based access control (RBAC)
  • Multi-factor authentication for admin access
  • API key authentication for seller integrations
  • Automatic session timeouts

Monitoring & Detection

  • Real-time fraud detection scoring
  • Velocity checks and rate limiting
  • AVS and CVV verification
  • Anomaly detection for suspicious patterns

Infrastructure Security

  • Encrypted data at rest and in transit
  • Regular security audits and penetration testing
  • DDoS protection and WAF
  • Secure development lifecycle (SDLC)

Incident Response

  • 24/7 security monitoring
  • Documented incident response procedures
  • Breach notification within 72 hours
  • Regular disaster recovery testing

PCI DSS Compliance Requirements

RequirementDescriptionStatus
1Install and maintain network security controls
2Apply secure configurations to all system components
3Protect stored account data
4Protect cardholder data with strong cryptography during transmission
5Protect all systems and networks from malicious software
6Develop and maintain secure systems and software
7Restrict access to system components by business need-to-know
8Identify users and authenticate access to system components
9Restrict physical access to cardholder data
10Log and monitor all access to system components and cardholder data
11Test security of systems and networks regularly
12Support information security with organizational policies and programs

Security Questions?

If you have questions about our security practices or need our PCI DSS Attestation of Compliance (AOC), please contact our security team at security@pebblepay.io