PCI and Tokenization

Home    Online Payments    Card Operations    PCI and Tokenization

On this page:

Overview

The Payment Card Industry (PCI) Data Security Standards (DSS) regulate the storage and management of credit card details issued by the major card schemes.

PCI Certification

Each PCI DSS level has its own set of requirements. Certification for most of these PCI levels involves submitting a self-assessment questionnaire (SAQ) to evaluate the company’s compliance to the various PCI DSS standards. Other factors taken into account include the company’s: card transaction volume, card acceptance channels used, security posture and practices, and business complexity, etc.

Credentials Collection, Storage, and PCI Reporting

Each Nuvei Solution set (Nuvei Integration Type) defines the merchant’s involvement in the process of collecting customer credit card details, as well as the merchant’s PCI reporting responsibilities as described below:

Merchant PCI Responsibilities

Nuvei Integration MethodWho Collects Card DetailsMerchant PCI Responsibilities
Payment Page
(hosted page)		Nuvei
Using the Nuvei Payment Page.
  • Submit the Simplest SAQ-A form
    (stating you outsource PCI to Nuvei).
  • Perform quarterly scans
Simply ConnectNuvei
Collects directly from Nuvei form merchant embeds in its payment page.
  • Submit the Simplest SAQ-A form
    (stating you outsource PCI to Nuvei).
  • Perform quarterly scans
Web SDK with Nuvei FieldsNuvei
Collects directly from Nuvei Fields merchant embeds in its payment page.
  • Submit the Simplest SAQ-A form
    (stating you outsource PCI to Nuvei).
  • Perform quarterly scans
Web SDK without Nuvei FieldsThe merchant
Collects and passes to Nuvei directly from the merchant's frontend.
  • Submit the Moderate SAQ-A EP form (shorter than the SAQ-D).
  • Agree to conform to the required security standards.
  • Perform quarterly scans.
Server-to-ServerThe merchant
Collects from the merchant's checkout or payment page and passes the details to Nuvei from the backend.
  • If you store card details for even a short time, submit the detailed SAQ-D form. If you immediately delete card details, submit the moderate SAQ-A EP form (shorter than the SAQ-D).
  • Agree to conform to the required security standards.
  • Perform quarterly scans.
  • Depending on your annual number of transactions with a card scheme, you might be required to undergo a Level 1 ROC. For more information, see the card scheme's website. For example:

User Payment Management (Tokenization)

Nuvei has PCI accreditation that allows us to store and manage customer card details for later use. When a customer wishes to make a payment, they can simply select one of their stored payment methods with no need to re-enter the card details.

If you want to allow a customer to save their payment details for future transactions, you must include “payment option details” (e.g. card, expiration date, CVV), along with a userTokenId, which identifies the customer. Nuvei stores the details and returns a userPaymentOptionId (UPO) identifier in the response. See the Card-on-File topic.

The next time your customer makes a payment, you do not need to collect the payment option details again. Instead, send their userTokenId and userPaymentOptionId in the payment request.

This is Nuvei Gateway (GW) tokenization. Nuvei also supports network tokenization.

Last update iconLast modified March 2025