# PCI Compliance

PCI DSS is the global data security standard developed by the Payment Card Industry to maximize the protection of cardholder data to reduce credit card fraud. It consists of steps that reflect security best practices. Compliance with PCI requirements is expected from all entities that process, store or transmit cardholder data or sensitive authentication data.

One option, requiring some time and effort, is undergoing PCI compliance certification process by working with a certified PCI Auditor. An alternative is shifting some responsibility over the data to an external entity like Straal. You can do so by using our own Checkout Page or designing a custom payment form with Straal.js.

The minimum compliance requirement is completing a PCI Self-Assessment Questionnaire. It takes less time and preparation than undergoing full certification.

# SAQ types required for each integration type

Integration type Required SAQ
Straal Checkout Page SAQ A – the simplest method of PCI validation, 19 pages long questionnaire.
Custom payment form with Straal.js SAQ A-EP – a more stringent self assessment questionnaire. Twice as long as SAQ A.
Mobile SDK SAQ A-EP (if using our SDKs for iOS or Android) – a more stringent self assessment questionnaire. Twice as long as SAQ A.

If you choose to write your own code, you may be subject to more PCI requirements, and SAQ A-EP will not be enough.
Back-end-to-back-end integration SAQ D (over 40 pages long) – the strictest questionnaire, because the customer data passes through your backend.

Read more about types of PCI SAQs in PCI SSC Document Library(opens new window) or read more about PCI Security Standards in general at PCI SSC(opens new window) .