Spreedly pci compliance information

PCI Compliance

Spreedly can ensure that sensitive card data never touches your servers. Our card data collection tools capture details while minimizing your PCI compliance scope. You can then qualify for the much simpler 4-page SAQ A versus the rigorous 40-page SAQ A-EP.

Spreedly is a PCI Level 1 Service Provider, the highest level of PCI DSS certification.

Who Must Be PCI Compliant

If you accept credit cards from your customers, then you must be PCI compliant.

Many payment gateways and online payment processing solutions may claim that their “drop-in” credit card widget excludes you from worrying about PCI compliance. This is not true. Even if you are using a third party to handle the collection, processing and storage of protected cardholder data, you must still follow the necessary certification process.

Third party solutions allow you to be PCI compliant with much less effort and expense than if you were processing and storing the card data yourself, but you still have to certify each year. Companies like Spreedly can help reduce your PCI compliance burden, but no one can eliminate it entirely.

Proof Of PCI Compliance

Latency, success rates, and features vary widely by gateway across currencies and countries. With Spreedly, you’re not tied to a single vendor. Mix and match providers to get the performance and transaction results you need in the markets you want.

How Do I Self-Assess?

Performing a PCI compliance self-assessment requires you to complete a questionnaire and, depending on what self-assessment category you fall under, having an outside provider perform a quarterly security scan of your systems.

There are currently eight categories of self-assessment, but not all of these are applicable to online merchants. Your level of PCI scope will ultimately depend on how you capture and work with credit card data. If you are using a third party service like Spreedly it is likely that you will be required to fill out either a SAQ A, SAQ A-EP or SAQ D. View the table below for more information:

If your systems:

Then use

Do not touch, process or store cardholder data, and do not server any card collection forms (e.g. you use Spreedly's iFrame)
Do not touch, process or store cardholder data, but do serve card collection forms (e.g. you use Spreedly's transparent redirect)
Do touch, process or store cardholder data

Where Can I Find More Information?

You can view our PCI compliance documents here:

The PCI compliance guidelines and their interpretations are constantly evolving. We regularly blog about PCI developments so check back regularly, but we have included some relevant posts below:

For additional information, including copies of the PCI compliance guidelines, explanatory background materials,
downloadable SAQ forms and general instructions and guidelines, please visit the PCI Security Standards Council’s Documents Library.

Hover me!
"Extremely clear documentation and awesome testing environment. It took me literally 20 minutes to test everything"
Mathias Fonseca
"Spreedly has allowed us to keep our development time focused on improving our platform.”
Peter Moody
"Leaning on Spreedly's technology is going to allow you to get to market faster.”
Justin Wheeler
"Cabify is a global business, working with different gateways. In this scenario, the fact of being informed about their behaviour is key, as minimal issues could lead to a severe economic impact."
Armando Rivas
"There's a lot of compliance and security issues that come along with taking payments. That's actually a big reason why we came to Spreedly."
Lance Carlson

Over 500 Happy Customers

See why 500+ innovative companies use Spreedly to orchestrate their payments.