PCI DSS Compliant Payment Gateway: What It Means for Your Business
PCI DSS (Payment Card Industry Data Security Standard) is the global security framework that governs how card data must be handled by any entity that processes, stores, or transmits payment card information. For merchants choosing a payment gateway, PCI DSS certification level is one of the most important technical and commercial selection criteria. Using a PCI DSS Level 1 certified gateway significantly reduces the merchant's own compliance burden, protects cardholders, and reduces the risk of data breaches that result in scheme fines and card re-issuance costs. This guide explains what PCI DSS compliance means for a gateway, the certification levels, what a Level 1 gateway does for your compliance programme, and what merchants must still do independently.
What PCI DSS Compliance Means for a Payment Gateway
PCI DSS is a set of security requirements developed by the major card schemes (Visa, Mastercard, Amex, Discover, JCB) through the PCI Security Standards Council. The standard applies to any entity that processes, stores, or transmits cardholder data, defined primarily as the Primary Account Number (PAN), combined with any additional data elements (name, expiry, service code).
For a payment gateway, PCI DSS compliance means the gateway's entire infrastructure, including its servers, networks, applications, and operational procedures, meets the security requirements defined in the current PCI DSS standard (currently version 4.0). These requirements cover twelve broad areas: network security, configuration management, cardholder data protection, vulnerability management, access control, physical security, monitoring and testing, and security policy.
Why it matters for merchants: A gateway that is not PCI DSS compliant creates liability exposure for every merchant using it. If cardholder data processed through the gateway is compromised, the card schemes can levy fines, require card re-issuance at the merchant's cost, and in serious cases revoke the acquirer's processing licences. Using a PCI DSS Level 1 certified gateway shifts the security responsibility for the processing infrastructure to the gateway, reducing the merchant's direct exposure.
Ongoing certification: PCI DSS compliance is not a one-time certification. Level 1 gateways undergo annual on-site security assessments by a Qualified Security Assessor (QSA) and quarterly network vulnerability scans by an Approved Scanning Vendor (ASV). This continuous assessment ensures the gateway's security posture is maintained as threats evolve.
For merchants using a specialist high risk payment gateway, PCI DSS Level 1 certification at the gateway level is particularly important because high-risk merchant categories attract elevated attention from both fraudsters and regulatory bodies.
PCI DSS Levels: Level 1 vs Level 2 vs Level 3 vs Level 4
PCI DSS certification is tiered by transaction volume, with different compliance validation requirements for each level. These levels apply to merchants and service providers separately, but for payment gateways (which are service providers), the relevant levels are defined differently.
Service provider levels:
Level 1 service providers process or store or transmit more than 300,000 card transactions per year. They must undergo an annual Report on Compliance (RoC) prepared by a Qualified Security Assessor, plus quarterly network scans. This is the most rigorous assessment level and the one that RoxPay is certified at.
Level 2 service providers process fewer than 300,000 card transactions per year. They can self-complete an annual Self-Assessment Questionnaire (SAQ) plus quarterly scans, rather than a full QSA audit.
Merchant levels (for context):
Merchant Level 1: Over six million Visa or Mastercard transactions per year. Requires annual QSA on-site assessment.
Merchant Level 2: One to six million transactions per year.
Merchant Level 3: 20,000 to one million e-commerce transactions.
Merchant Level 4: Fewer than 20,000 e-commerce transactions or fewer than one million other transactions.
What Level 1 certification signals: A PCI DSS Level 1 certified gateway has undergone the most rigorous possible third-party security assessment. For merchants, this represents the highest available assurance that the processing infrastructure they rely on meets the industry's top security standard. It is the certification level required for large-volume processors and the one that provides the broadest scope reduction benefit for merchants.
How Using a PCI DSS Level 1 Gateway Reduces Your Compliance Burden
Using a PCI DSS Level 1 gateway significantly reduces the scope of your own PCI DSS compliance programme, but the extent of the reduction depends on your integration method.
Hosted page integration (full scope reduction): When you use the gateway's hosted payment page, your customer is redirected to the gateway's domain to enter card details. Your infrastructure never sees card data. Under this model, you qualify for SAQ A, the simplest self-assessment questionnaire. SAQ A has approximately 22 requirements, compared to 300 for SAQ D. The hosted page integration combined with a Level 1 gateway provides maximum scope reduction.
Drop-in UI or iFrame integration (near-full scope reduction): When the gateway provides JavaScript-injected iFrame elements for card entry within your checkout page, the card data is handled within the gateway's secure iFrame, not your page's code. Your infrastructure does not handle raw card data. You still qualify for SAQ A under this model in most interpretations. This provides the same scope reduction benefit as a full hosted page redirect with a better customer experience.
REST API with tokenisation (moderate scope reduction): When your frontend collects card data and sends it to your server, which then calls the gateway API, your server is in scope for PCI DSS. Even if you immediately tokenise the card and never store the raw PAN, the fact that your server transacted with raw card data puts it in scope. This integration type requires SAQ D or a full QSA assessment depending on your scale, significantly increasing compliance cost and effort.
What scope reduction means in practice: SAQ A compliance is achievable for most small and mid-sized merchants without dedicated security staff or costly external assessments. SAQ D compliance requires significant investment in security controls, documentation, and potentially a QSA engagement. The integration method decision is therefore a significant compliance cost decision, not just a technical one.
What Merchants Still Need to Do Even With a Compliant Gateway
Using a PCI DSS Level 1 certified gateway reduces your compliance burden but does not eliminate all PCI obligations. Merchants remain responsible for several requirements regardless of their gateway's certification level.
Complete your SAQ: Even under SAQ A (the simplest form for hosted/iFrame integrations), merchants must complete and retain the self-assessment questionnaire. Failure to complete the SAQ can result in non-compliance flags from your acquirer and potential fines.
Secure your application layer: Your website and application are in scope for PCI DSS even when using a hosted gateway, specifically with respect to preventing web skimming attacks. PCI DSS 4.0 introduced specific requirements around protecting payment pages from client-side script injection (Magecart-style attacks), which can capture card data as it is entered before it reaches the gateway's iFrame. You must implement script inventory and integrity monitoring on your payment pages.
Protect your API credentials: Your API keys and webhook signing secrets must be stored securely, rotated regularly, and never exposed in client-side code or version control. Compromised API credentials create a direct security risk even when the gateway itself is PCI Level 1 compliant.
Maintain your system hygiene: Servers, applications, and infrastructure that are part of your payment environment must be kept patched and secured. PCI DSS requirements for access control, logging, and change management apply to your systems in scope, not just the gateway.
Do not store prohibited data: Even when using a hosted gateway, you must not retain full card numbers, CVVs, or magnetic stripe data in any system you control. Logging inadvertently capturing request bodies, analytics platforms receiving form data, and error reporting services are all potential sources of prohibited data storage.
RoxPay PCI DSS Level 1 Certification and What It Covers
RoxPay holds PCI DSS Level 1 certification with certificate number QS83A47X629. This certification is maintained through annual on-site assessments by a Qualified Security Assessor and quarterly network scans by an Approved Scanning Vendor.
What the certification covers: The entire RoxPay payment processing infrastructure, including card data vaults, transaction processing servers, network infrastructure, API endpoints, and operational procedures. The certification scope covers the cardholder data environment in its entirety, from the point where card data enters the RoxPay system through processing, storage (tokenised), and transmission to acquirers.
What this means for merchants: Merchants using RoxPay's hosted checkout or drop-in UI integration can qualify for SAQ A, the minimum compliance validation requirement for merchants who do not handle card data directly. This reduces the compliance overhead for merchants to an annual self-assessment and quarterly scans rather than a full QSA engagement.
ISO 27001 certification: In addition to PCI DSS Level 1, RoxPay holds ISO 27001 certification, which covers the information security management system broadly, including data protection, access management, incident response, and business continuity. This provides assurance beyond the payment-specific PCI framework.
OAM registration: RoxPay is registered with the Italian OAM (Organismo Agenti e Mediatori), confirming its status as a regulated payment operator in Italy.
To start your RoxPay application and access the sandbox environment for PCI-compliant integration testing, complete the digital onboarding form. Sandbox credentials are available immediately upon registration. The full API documentation, including security integration guidance, is at app.roxpay.eu/api/v4/docs.
RoxPay processes over 500 million euros in annual volume across 120 payment systems with a 99.9% uptime SLA. IC++ pricing from 0.45%, settlement to any SEPA bank in 24-48 hours.
Frequently Asked Questions
What is the difference between PCI DSS Level 1 and Level 2?
For service providers (payment gateways), Level 1 requires an annual on-site assessment by a Qualified Security Assessor, producing a formal Report on Compliance. Level 2 allows self-completion of a Self-Assessment Questionnaire. Level 1 is more rigorous and provides merchants with greater assurance because an independent security expert has physically reviewed and certified the entire processing environment.
Do I need to be PCI DSS compliant if I use RoxPay's hosted checkout?
Yes, but your compliance obligation is minimal. Using RoxPay's hosted checkout or drop-in UI means you qualify for SAQ A, which involves completing a short self-assessment questionnaire of approximately 22 requirements, plus quarterly network scans by an Approved Scanning Vendor. You do not need a QSA audit or a full SAQ D assessment.
What is PCI DSS 4.0 and does it affect merchants using hosted checkouts?
PCI DSS version 4.0 was published in 2022 and became the effective standard in 2024. For merchants using hosted checkouts, the most relevant new requirement in v4.0 is the need to maintain a script inventory and integrity monitoring for all scripts running on your payment pages (to prevent web skimming). This applies even under SAQ A. RoxPay's integration documentation includes guidance on meeting this requirement.
You might also like
High Risk Payment Gateway
Secure payment processing for high-risk industries with multi-acquirer routing and chargeback protection.
Small Business Payment Solutions
Transparent IC++ pricing, free Smart POS terminal, and 24-hour activation for small businesses.
E-commerce Payment Integrations
One-click plugins for Shopify, WooCommerce, Magento, and PrestaShop with full API access.
Optimize your payments today
RoxPay is PCI DSS Level 1 certified (QS83A47X629) and ISO 27001 certified. Merchants using the hosted checkout qualify for SAQ A compliance. IC++ from 0.45%, settlement to any SEPA bank in 24-48 hours.
✓ No monthly fixed costs · ✓ Activation in 24 hours · ✓ Dedicated technical support
