less than a minute read • Updated 13 minutes ago
PCI DSS and compliance requirements
What PCI DSS is, the different levels of compliance (SAQ A through D), and how to tell which requirements actually apply to your store when you process payments through Foxy.
PCI DSS (Payment Card Industry Data Security Standard) is the security standard that governs how businesses handle credit card data. Your specific compliance requirements depend on how your store collects and processes payments, and using Foxy significantly reduces what you’re responsible for.
What is PCI DSS?
The Payment Card Industry Security Standards Council (PCI SSC) — made up of major card brands like Visa, Mastercard, and American Express — created the Data Security Standard (DSS) that all merchants accepting card payments must follow in some form.
There are multiple levels of compliance, and figuring out which one applies to you can be confusing. Some of that confusion comes from vendors and providers who use misleading language to sell services merchants don’t actually need.
The two requirements of PCI DSS
Compliance comes down to two deliverables:
The Self-Assessment Questionnaire (SAQ) — ranges from SAQ A (a handful of questions) to SAQ D (200+ requirements).
A security scan from an Approved Scanning Vendor (ASV) — only required for certain SAQ levels.
Simply paying a provider for a “compliance service” does not make you PCI compliant on its own. Real compliance can involve things like staff security training, secure document disposal, and internal policies — none of which a vendor can complete on your behalf just because you paid a monthly fee.
Which SAQ level applies to you?
SAQ level | Scan required? | Applies to you if… |
|---|---|---|
None | No | Payments are handled entirely by a third party (e.g., PayPal Express Checkout or Pay with Amazon through Foxy). PCI DSS generally applies only to merchants with their own Merchant ID receiving payments directly. |
SAQ A | No | Payments are fully outsourced through your Foxy checkout using a real gateway (not one that redirects the customer to a hosted payment page). Card details are never handled by phone, through Foxy’s Unified Order Entry, or any other virtual terminal. No cardholder data ever touches your systems, and none is ever stored. |
SAQ A-EP | No (scan may be required for PCI DSS §6.6) | Payments are partially outsourced — typically a direct-post or JavaScript-based (non-iframe) implementation. Using Foxy’s standard checkout generally avoids this. |
SAQ B / SAQ B-IP / SAQ C / SAQ C-VT | No | Not applicable to ecommerce merchants — these cover standalone terminals, card swipers, or manually processed virtual terminals. |
SAQ D | Yes, on applicable systems | Cardholder data is transmitted or stored on systems you control, regardless of payment method. This includes any case where your website or server touches card numbers at all, even briefly (e.g. a POST that immediately forwards the data elsewhere). This is full PCI DSS compliance — 200+ requirements. |
If you’re processing more than 20,000 Visa transactions per year, additional merchant-level requirements may also apply.
Our general recommendation: avoid using any virtual terminal functionality so you can stay under the much simpler SAQ A. Never store credit card numbers on your own systems — doing so pushes you into SAQ D, which is significantly more complex and costly. Foxy handles this storage for you, so there’s rarely a reason to take on that burden yourself.
How compliance is typically handled
PCI DSS compliance is usually addressed when you set up your merchant account, though it can also come up afterward. Be aware that some payment processors turn PCI compliance into a profit center — charging annual fees (sometimes $149 plus another $99, or up to $19.95/month) that aren’t strictly necessary for your SAQ level. Before paying for any compliance service, confirm what your actual SAQ level requires.
Breach insurance
Breach insurance protects merchants and processors if a breach occurs despite PCI compliance being in place — for example, an employee copying down a card number left at a register. If this is a concern for your business, ask your merchant account provider whether they offer breach insurance.
If a customer reports a stolen card
Occasionally a merchant hears from a customer that their card was used fraudulently after a purchase, with the assumption that the store (or Foxy) leaked the card details. Foxy undergoes continual security reviews and audits, runs intrusion prevention and detection, and monitors its systems proactively — across millions of transactions for thousands of merchants, reports of a compromised card tracing back to Foxy are extremely rare.
In nearly every case, the more likely explanation is that the customer’s own computer is compromised — missing antivirus protection, outdated OS or browser security patches, or a shared machine used by others who visit risky sites or open unsafe email attachments. Once a keylogger or similar malware is present, any card number the customer types anywhere (not just on your store) can be captured and misused.
If this happens with one of your customers and you’d like Foxy looped in, feel free to reach out — we take it seriously. But it’s worth setting the right expectation with the customer: the fix is usually on their end (running a malware scan, or replacing the computer), not a sign that your store or Foxy’s systems were breached.
If you’re being asked to prove compliance
If a payment processor or merchant account provider is asking you to demonstrate PCI compliance, and you aren’t processing cards outside of your Foxy checkout, you can share the following with them:
We’ve outsourced our card handling to Foxy, which is a Level 1 PCI Compliant Service Provider listed on both Visa’s and Mastercard’s registries. Do you still require proof of our own compliance? If so, do you have your own tool we should use, or will an SAQ A be sufficient?
See Foxy’s security and compliance certifications for links to verify Foxy’s PCI status.
If your processor responds that you need a higher compliance level or a passing security scan, contact us so we can help you sort out what’s actually required.