PCI-DSS
How to ensure your transactions are security compliant?
What is PCI-DSS?
PCI-DSS stands for "Payment Card Industry Data Security Standard".
It is a set of standards and rules that payment gateways, card issuers, merchants, retailers, or any agent that processes, transmits, or stores credit or debit card data must follow to ensure the protection of this information. The goal is clear: to ensure that customer card data is always secure.
Among the standards established by PCI-DSS are best practices and requirements for areas such as:
- Cardholder data storage
- Encryption during data transmission
- Restricted access control
- Continuous application monitoring
According to NordVPN, Brazil is the second most affected country by payment card theft. The impact of such attacks can be severe: fines, reputational damage, and even business interruption. Therefore, it is extremely important to comply with the established standards to protect your company.
This document should be used only as a guide. Asaas does not provide consulting or official guidance regarding PCI-DSS certification.
Who does PCI-DSS apply to?
As we've seen, when a company processes, stores, and transmits data, it is handling sensitive information. Therefore, any business, regardless of size, that handles card data must follow the PCI DSS guidelines.
What is the SAQ and what are its levels and types?
The SAQ (Self-Assessment Questionnaire) is a PCI DSS self-assessment questionnaire. It is used by companies that do not undergo formal audits with a QSA (Qualified Security Assessor) but that, due to processing credit card transactions, must still demonstrate compliance with security requirements when handling this type of information.
As the name suggests, the SAQ is a self-filled questionnaire, meaning it is the client's sole responsibility to complete and securely store it. In the event of an external audit (by issuers, card networks, or even the gateway itself), this document may be requested.
PCI DSS defines four security levels based on the number of card transactions, allowing companies of all sizes to commit to security and validate their compliance:
| Level | Criteria | Compliance Validation |
|---|---|---|
| Level 1 | More than 6 million transactions per year | Annual audit by a Qualified Security Assessor (QSA) and quarterly vulnerability scans |
| Level 2 | 1 to 6 million transactions per year | Self-assessment questionnaire (SAQ) and quarterly vulnerability scans |
| Level 3 | 20,000 to 1 million transactions per year | Self-assessment questionnaire (SAQ) and quarterly vulnerability scans |
| Level 4 | Up to 20,000 transactions per year | Self-assessment questionnaire (SAQ) |
Based on a company’s security history, PCI DSS may require Levels 2 and 3 to undergo a formal audit, as required for Level 1.
Below is a list of the most common SAQ types for online operations:
| SAQ Type | Recommended For | Brief Description |
|---|---|---|
| A | E-commerce that fully outsources payment processing (no card data passes through the back-end) | Does not store, process, or transmit card data |
| A-EP | E-commerce that does not store data but controls the payment page | Requires more controls than SAQ A |
| D | Any entity that does not meet the above criteria | Most complete and rigorous questionnaire |
SAQ – Self-Assessment Questionnaires are available in the PCI document library.
PCI-DSS at Asaas
Asaas is certified at PCI-DSS Level 1.
Every year, Asaas undergoes an external audit to ensure we meet the necessary security scope, as we are a payment gateway responsible for protecting all personal or sensitive data transmitted through our platform.
Additionally, your application that integrates with us must also be compliant based on the type of transaction performed on our platform, as shown in the table below:
| Transaction Format | Card Data Handling | PCI-DSS Requirement |
|---|---|---|
| Asaas Checkout | Not applicable | ❎ |
| Asaas Invoice | Not applicable | ❎ |
| Payment Link | Not applicable | R |
| Asaas API | Data transmitted via back-end | ✅ SAQ-D |
| Server-Side Tokenization | Data transmitted via back-end | ✅ SAQ-D |
| Client-Side Tokenization | Card tokenized in front-end, sent via back-end | ✅ SAQ-A |
Attention
Asaas does not offer client-side tokenization via front-end. Therefore, we recommend that your application be certified under SAQ-D to ensure secure transmission of card data between your application and Asaas.
The above requirements refer exclusively to operations performed with Asaas. If your company also processes card transactions outside of Asaas, please check with your payment gateway for their PCI-DSS requirements.
Responsibilities
The provider you choose can directly impact your customers' data security. That's why, at Asaas, we are committed to building a secure environment that complies with PCI DSS requirements.
We are PCI DSS certified. This means more security for your customers' data and more reliable financial management for your business.
Asaas and Shared Responsibility
Asaas offers financial management products that handle card data. Therefore, it is important to understand the shared responsibilities:
| Asaas Product | Asaas Responsibility | Your Company’s Responsibility | Recommended SAQ for Your Company |
|---|---|---|---|
| Asaas Checkout | Full operation of payment page: receiving, transmitting, processing, and storing card data | Your company does not handle card data directly. Responsible for general security and correct redirection to the checkout | SAQ-A: Typically recommended since Asaas handles all card data interaction |
| Asaas Invoice | Card data operation and storage. Payment interface managed by Asaas | Your company does not handle card data directly. Responsible for how the invoice is generated and displayed | SAQ-A: Card data entry occurs in an environment fully managed by Asaas |
| Payment Link | Card data operation and storage. Customer interacts directly with Asaas payment page | Your company does not handle card data directly. Responsible for securely generating and sharing the link | SAQ-A: Card data is entered in a secure environment external to your company |
| Asaas API | Card data operation and storage after secure receipt | Responsible for the security of card data reception and transmission to Asaas. Includes server and communication protection | SAQ-D (if card data passes through back-end) or SAQ-A (if using client-side tokenization with no data passing through your servers) |
| Server-Side Tokenization | Card token and data operation and storage after receipt | Responsible for secure transmission of card data from your server to Asaas for tokenization | SAQ-D: Card data passes through the back-end, even briefly, before tokenization |
| Client-Side Tokenization | Token and data operation and storage after receipt | Card is tokenized in the customer’s browser (front-end) before reaching the back-end. Responsible for ensuring front-end security and only sending the token | SAQ-A: Ideal to minimize scope since card data never touches your servers |
Sensitive authentication data (CVV, full track data, PIN/PIN block) must not be stored after authorization — even if encrypted.
At Asaas, PCI DSS compliance goes far beyond technical requirements — it’s a daily commitment to security, without compromising efficiency.
We automate processes, increase productivity, and reduce bureaucracy. All this with a solid foundation: security that protects without slowing down your business.
With PCI DSS, we ensure that every transaction, every integration, and every billing step is protected.
Questions?
If you have questions about whether your company needs to comply with PCI-DSS, we recommend seeking help from a PCI compliance consulting firm to guide you through the process.
Updated 22 days ago