PCI and Tokenization

On this page:

Overview
- PCI Certification
Credentials Collection, Storage, and PCI Reporting
User Payment Management (Tokenization)

Overview

The Payment Card Industry (PCI) Data Security Standards (DSS) regulate the storage and management of credit card details issued by the major card schemes.

PCI Certification

Each PCI DSS level has its own set of requirements. Certification for most of these PCI levels involves submitting a self-assessment questionnaire (SAQ) to evaluate the company’s compliance to the various PCI DSS standards. Other factors taken into account include the company’s: card transaction volume, card acceptance channels used, security posture and practices, and business complexity, etc.

Credentials Collection, Storage, and PCI Reporting

Each Nuvei Solution set (Nuvei Integration Type) defines the merchant’s involvement in the process of collecting customer credit card details, as well as the merchant’s PCI reporting responsibilities as described below:

Merchant PCI Responsibilities

Nuvei Integration Method	Who Collects Card Details	Merchant PCI Responsibilities
Payment Page (hosted page)	Nuvei – Using Nuvei Payment Page.	Submit the Simplest SAQ-A form (stating you outsource PCI to Nuvei).
Simply Connect	Nuvei – Collects from their checkout or payment page.	Submit the Simplest SAQ-A form (stating you outsource PCI to Nuvei).
Web SDK with Nuvei Fields	Nuvei – Collects directly from the merchant page.	Submit the Simplest SAQ-A form (stating you outsource PCI to Nuvei).
Web SDK without Nuvei Fields	The merchant – Collects and passes it to Nuvei directly from their frontend.	Submit the Moderate SAQ-A EP form (shorter than the SAQ-D). Agree to conform to the required security standards. Perform quarterly scans.
Server-to-Server REST API Server-Side SDK REST API 2.0 Beta	The merchant – Collects from their checkout or payment page.	Submit the Detailed SAQ-D form. Agree to conform to the required security standards. Perform quarterly scans.

User Payment Management (Tokenization)

Nuvei has PCI accreditation that allows us to store and manage customer card details for later use. When a customer wishes to make a payment, they can simply select one of their stored payment methods with no need to re-enter the card details.

When a customer makes a payment for the first time, you must include “payment option details” (e.g. card, expiration date, CVV), along with a userTokenId, which identifies the customer. Nuvei stores the details and returns a userPaymentOptionId (UPO) identifier in the response. See the Card-on-File topic.

The next time your customer makes a payment, you do not need to collect the payment option details again. Instead, send their userTokenId and userPaymentOptionId in the payment request.

Nuvei Integration Type	Who Collects Card Details	Merchant PCI Responsibilities
Nuvei Payment Page (hosted page)	Nuvei – Using Nuvei Payment Page.	Submit the Simplest SAQ-A form, (stating you outsource PCI to Nuvei).
Web SDK Fields	Nuvei – Collects directly from the merchant page.	Submit the Simplest SAQ-A form, (stating you outsource PCI to Nuvei).
Nuvei Checkout	Nuvei – Collects from their checkout or payment page.	Submit the Simplest SAQ-A form, (stating you outsource PCI to Nuvei).
Frontend Tokenization API methods: `cardTokenization`	The merchant – Collects and passes it to Nuvei directly from their frontend.	Submit the Moderate SAQ-A EP form (shorter than the SAQ-D). Agree to conform to the required security standards. Perform quarterly scans.
Server-to-Server REST API Server-Side SDK	The merchant – Collects from their checkout or payment page.	Submit the Detailed SAQ-D form. Agree to conform to the required security standards. Perform quarterly scans.