PCI-DSS

How to ensure your transactions are security compliant?

What is PCI-DSS?

PCI-DSS stands for "Payment Card Industry Data Security Standard".

It is a set of standards and rules that payment gateways, card issuers, merchants, retailers, or any agent that processes, transmits, or stores credit or debit card data must follow to ensure the protection of this information. The goal is clear: to ensure that customer card data is always secure.

Among the standards established by PCI-DSS are best practices and requirements for areas such as:

  • Cardholder data storage
  • Encryption during data transmission
  • Restricted access control
  • Continuous application monitoring

According to NordVPN, Brazil is the second most affected country by payment card theft. The impact of such attacks can be severe: fines, reputational damage, and even business interruption. Therefore, it is extremely important to comply with the established standards to protect your company.

📘

This document should be used only as a guide. Asaas does not provide consulting or official guidance regarding PCI-DSS certification.


Who does PCI-DSS apply to?

As we've seen, when a company processes, stores, and transmits data, it is handling sensitive information. Therefore, any business, regardless of size, that handles card data must follow the PCI DSS guidelines.


What is the SAQ and what are its levels and types?

The SAQ (Self-Assessment Questionnaire) is a PCI DSS self-assessment questionnaire. It is used by companies that do not undergo formal audits with a QSA (Qualified Security Assessor) but that, due to processing credit card transactions, must still demonstrate compliance with security requirements when handling this type of information.

As the name suggests, the SAQ is a self-filled questionnaire, meaning it is the client's sole responsibility to complete and securely store it. In the event of an external audit (by issuers, card networks, or even the gateway itself), this document may be requested.

PCI DSS defines four security levels based on the number of card transactions, allowing companies of all sizes to commit to security and validate their compliance:

LevelCriteriaCompliance Validation
Level 1More than 6 million transactions per yearAnnual audit by a Qualified Security Assessor (QSA) and quarterly vulnerability scans
Level 21 to 6 million transactions per yearSelf-assessment questionnaire (SAQ) and quarterly vulnerability scans
Level 320,000 to 1 million transactions per yearSelf-assessment questionnaire (SAQ) and quarterly vulnerability scans
Level 4Up to 20,000 transactions per yearSelf-assessment questionnaire (SAQ)

Based on a company’s security history, PCI DSS may require Levels 2 and 3 to undergo a formal audit, as required for Level 1.

Below is a list of the most common SAQ types for online operations:

SAQ TypeRecommended ForBrief Description
AE-commerce that fully outsources payment processing (no card data passes through the back-end)Does not store, process, or transmit card data
A-EPE-commerce that does not store data but controls the payment pageRequires more controls than SAQ A
DAny entity that does not meet the above criteriaMost complete and rigorous questionnaire

SAQ – Self-Assessment Questionnaires are available in the PCI document library.


PCI-DSS at Asaas

Asaas is certified at PCI-DSS Level 1.

Every year, Asaas undergoes an external audit to ensure we meet the necessary security scope, as we are a payment gateway responsible for protecting all personal or sensitive data transmitted through our platform.

Additionally, your application that integrates with us must also be compliant based on the type of transaction performed on our platform, as shown in the table below:

Transaction FormatCard Data HandlingPCI-DSS Requirement
Asaas CheckoutNot applicable
Asaas InvoiceNot applicable
Payment LinkNot applicableR
Asaas APIData transmitted via back-end✅ SAQ-D
Server-Side TokenizationData transmitted via back-end✅ SAQ-D
Client-Side TokenizationCard tokenized in front-end, sent via back-end✅ SAQ-A

🚧

Attention

Asaas does not offer client-side tokenization via front-end. Therefore, we recommend that your application be certified under SAQ-D to ensure secure transmission of card data between your application and Asaas.

The above requirements refer exclusively to operations performed with Asaas. If your company also processes card transactions outside of Asaas, please check with your payment gateway for their PCI-DSS requirements.


Responsibilities

The provider you choose can directly impact your customers' data security. That's why, at Asaas, we are committed to building a secure environment that complies with PCI DSS requirements.

We are PCI DSS certified. This means more security for your customers' data and more reliable financial management for your business.

Asaas and Shared Responsibility

Asaas offers financial management products that handle card data. Therefore, it is important to understand the shared responsibilities:

Asaas ProductAsaas ResponsibilityYour Company’s ResponsibilityRecommended SAQ for Your Company
Asaas CheckoutFull operation of payment page: receiving, transmitting, processing, and storing card dataYour company does not handle card data directly. Responsible for general security and correct redirection to the checkoutSAQ-A: Typically recommended since Asaas handles all card data interaction
Asaas InvoiceCard data operation and storage. Payment interface managed by AsaasYour company does not handle card data directly. Responsible for how the invoice is generated and displayedSAQ-A: Card data entry occurs in an environment fully managed by Asaas
Payment LinkCard data operation and storage. Customer interacts directly with Asaas payment pageYour company does not handle card data directly. Responsible for securely generating and sharing the linkSAQ-A: Card data is entered in a secure environment external to your company
Asaas APICard data operation and storage after secure receiptResponsible for the security of card data reception and transmission to Asaas. Includes server and communication protectionSAQ-D (if card data passes through back-end) or SAQ-A (if using client-side tokenization with no data passing through your servers)
Server-Side TokenizationCard token and data operation and storage after receiptResponsible for secure transmission of card data from your server to Asaas for tokenizationSAQ-D: Card data passes through the back-end, even briefly, before tokenization
Client-Side TokenizationToken and data operation and storage after receiptCard is tokenized in the customer’s browser (front-end) before reaching the back-end. Responsible for ensuring front-end security and only sending the tokenSAQ-A: Ideal to minimize scope since card data never touches your servers

❗️

Sensitive authentication data (CVV, full track data, PIN/PIN block) must not be stored after authorization — even if encrypted.

At Asaas, PCI DSS compliance goes far beyond technical requirements — it’s a daily commitment to security, without compromising efficiency.

We automate processes, increase productivity, and reduce bureaucracy. All this with a solid foundation: security that protects without slowing down your business.

With PCI DSS, we ensure that every transaction, every integration, and every billing step is protected.


Questions?

If you have questions about whether your company needs to comply with PCI-DSS, we recommend seeking help from a PCI compliance consulting firm to guide you through the process.