• Documentation
  • API Reference
  • Documentation
  • API Reference
Expand All Collapse All
< BACK TO HOME
  • Online Payments
    • Introduction to Online Payments
    • Choosing an Integration Method
    • Payment Scenarios
    • Flow Diagrams
  • Accept Payment
    • Payment Page (Cashier)
      • Quick Start for Payment Page
      • Input Parameters
      • Output Parameters
      • Payment Page Features
      • Examples of Cashier Demo Sites
      • Cashier
        • Cashier Events Guide
        • Cashier Features
        • Withdrawal Guide
    • Web SDK
      • Quick Start for Web SDK
      • Nuvei Fields
        • Styling
      • Additional Functions
      • APM Payments with Web SDK
      • Tokenization-Only Flow
      • Web SDK Scenarios
      • Using ReactJS
        • Full Samples
        • Sandbox Examples
      • Web SDK FAQs
    • Simply Connect
      • Quick Start to Simply Connect
      • UI Customization
      • Payment Customization
      • Advanced Controls
      • Simply Connect Examples
    • Server-to-Server
      • REST 1.0
      • Server SDKs
        • Java SDK
        • .NET SDK
        • PHP SDK
        • Node.JS SDK
    • Mobile SDKs (Beta Release)
      • Android Native SDK
        • Android Nuvei Fields Native SDK (Beta Release)
        • Android Simply Connect Native SDK
        • Android Direct Native SDK (Beta Release)
      • iOS Native SDK
        • iOS Nuvei Fields Native SDK (Beta Release)
        • iOS Simply Connect Native SDK
        • iOS Direct Native SDK (Beta Release)
    • Self Track
  • Features
    • Authentication
    • Financial Operations
      • Refund
      • Void
      • Auth and Settle
      • Partial Approval
      • Currency Conversion: DCC and MCP
        • Multiple Currency Pricing (MCP)
        • Dynamic Currency Conversion (DCC)
          • DCC in Cashier or Payment Page
          • DCC in REST API Workflows
          • DCC in Web SDK Workflows
      • Payout
      • Account Funding Transactions (AFTs)
      • P2P Payment with Nuvei
    • Card Operations
      • Card-on-File
      • PCI and Tokenization
      • Zero-Authorization
      • Merchant-Initiated Transactions (MIT)
      • Blocking Cards
    • Subscriptions (Rebilling)
    • 3D-Secure
      • 3D-Secure Explained
      • 3DS Implementations
        • 3DS MPI-Only Web SDK
        • 3DS MPI-Only REST
        • 3DS External MPI
        • 3DS Responses
        • Challenges and Exemptions
      • 3DS Functions
        • 3D-Secure Fingerprinting
        • 3D-Secure Authentication Challenge
    • Addendums
      • Airlines
        • External Authorization
      • Local Payment (Installments)
      • Level 2&3 Processing Data
  • Integration
    • Testing Cards, APIs and APMs
      • Testing Cards
      • Testing APMs
      • Testing APIs with Postman
    • Response Handling
      • Webhooks (DMNs)
        • Payment Transaction Requests
        • Control Panel Events API
      • Payment Facilitators (PayFac)
    • Additional Links
      • FAQs
      • API Reference
      • Release Notes
      • Country and Currency Codes

    PCI and Tokenization

    Home    Card Operations    PCI and Tokenization

    On this page:
    • Overview
      • PCI Certification
    • Credentials Collection, Storage, and PCI Reporting
    • User Payment Management (Tokenization)

    Overview

    The Payment Card Industry (PCI) Data Security Standards (DSS) regulate the storage and management of credit card details issued by the major card schemes.

    PCI Certification

    Each PCI DSS level has its own set of requirements. Certification for most of these PCI levels involves submitting a self-assessment questionnaire (SAQ) to evaluate the company’s compliance to the various PCI DSS standards. Other factors taken into account include the company’s: card transaction volume, card acceptance channels used, security posture and practices, and business complexity, etc.

    Credentials Collection, Storage, and PCI Reporting

    Each Nuvei Solution set (Nuvei Integration Type) defines the merchant’s involvement in the process of collecting customer credit card details, as well as the merchant’s PCI reporting responsibilities as described below:

    Merchant PCI Responsibilities

    Nuvei Integration MethodWho Collects Card Details

    Merchant PCI Responsibilities

    Payment Page
    (hosted page)
    Nuvei –
    Using Nuvei Payment Page.
    • Submit the Simplest SAQ-A form
      (stating you outsource PCI to Nuvei).
    Simply ConnectNuvei –
    Collects from their checkout or payment page.
    • Submit the Simplest SAQ-A form
      (stating you outsource PCI to Nuvei).
    Web SDK with Nuvei FieldsNuvei –
    Collects directly from the merchant page.
    • Submit the Simplest SAQ-A form
      (stating you outsource PCI to Nuvei).
    Web SDK without Nuvei FieldsThe merchant –
    Collects and passes it to Nuvei directly from their frontend.
    • Submit the Moderate SAQ-A EP form (shorter than the SAQ-D).
    • Agree to conform to the required security standards.
    • Perform quarterly scans.
    Server-to-Server
    • REST API
    • Server-Side SDK
    • REST API 2.0 Beta
    The merchant –
    Collects from their checkout or payment page.
    • Submit the Detailed SAQ-D form.
    • Agree to conform to the required security standards.
    • Perform quarterly scans.

    User Payment Management (Tokenization)

    Nuvei has PCI accreditation that allows us to store and manage customer card details for later use. When a customer wishes to make a payment, they can simply select one of their stored payment methods with no need to re-enter the card details.

    When a customer makes a payment for the first time, you must include “payment option details” (e.g. card, expiration date, CVV), along with a userTokenId, which identifies the customer. Nuvei stores the details and returns a userPaymentOptionId (UPO) identifier in the response. See the Card-on-File topic.

    The next time your customer makes a payment, you do not need to collect the payment option details again. Instead, send their userTokenId and userPaymentOptionId in the payment request.

    Nuvei Integration Type Who Collects Card Details Merchant PCI Responsibilities
    Nuvei Integration Type
    Who Collects Card Details

    Merchant PCI Responsibilities

    Nuvei Payment Page
    (hosted page)
    Nuvei –
    Using Nuvei Payment Page.
    • Submit the Simplest SAQ-A form, (stating you outsource PCI to Nuvei).
    Web SDK Fields Nuvei –
    Collects directly from the merchant page.
    • Submit the Simplest SAQ-A form, (stating you outsource PCI to Nuvei).
    Nuvei Checkout Nuvei –
    Collects from their checkout or payment page.
    • Submit the Simplest SAQ-A form, (stating you outsource PCI to Nuvei).
    Frontend Tokenization
    API methods: cardTokenization
    The merchant –
    Collects and passes it to Nuvei directly from their frontend.
    • Submit the Moderate SAQ-A EP form (shorter than the SAQ-D).
    • Agree to conform to the required security standards.
    • Perform quarterly scans.
    Server-to-Server
    • REST API
    • Server-Side SDK
    The merchant –
    Collects from their checkout or payment page.
    • Submit the Detailed SAQ-D form.
    • Agree to conform to the required security standards.
    • Perform quarterly scans.

     

     

      • Language fr
    • Terms of use
    • Privacy Policy
    Nuvei. All rights reserved.