Skip to main content

PCI DSS compliance

MidasPay is audited annually against PCI DSS for the card-handling portions of its platform. Integrating with MidasPay can reduce your own PCI scope, but does not eliminate it. This page explains the shared-responsibility model so your own PCI assessment runs smoothly.

Shared responsibility

What MidasPay handles

  • Card-data acceptance — hosted checkout page, JS SDK iframe and tokenisation endpoints keep the Cardholder Data Environment (CDE) inside MidasPay.
  • Encryption at rest and in transit on the MidasPay side.
  • Network and application security on the MidasPay side — segmentation, monitoring and periodic scanning.
  • Attestation of Compliance (AoC) — available on request from your MidasPay merchant manager under NDA.

What you remain responsible for

  • Merchant systems — OS patching, anti-malware, access control on any server that handles MidasPay tokens, credentials or webhook data.
  • API private keys — store in an HSM, KMS, Vault or equivalent. Never commit to source control or share with third parties.
  • Network controls — if you whitelist MidasPay egress IPs for inbound webhooks, keep the list current (ask your MidasPay contact for the authoritative list).
  • Logging & monitoring — retain webhook and API call logs to satisfy your own PCI attestation and to support dispute handling.
  • Staff access — Merchant Portal access should use strong authentication and follow least-privilege. Deprovision promptly on role change.
  • Your own SAQ — self-assessment questionnaire appropriate to your integration style (see below).

Which SAQ applies to you?

Integration styleCard data touch pointPCI SAQ
Hosted redirect — you redirect the buyer to a MidasPay-hosted checkout page; PAN is entered thereNone — PAN never enters your systemsSAQ A
JS SDK iframe — you embed a MidasPay iframe; PAN is entered inside the iframeNone — PAN never enters your page DOMSAQ A-EP
Direct card API — your server receives raw PAN before calling MidasPayFull — CDE on your serversSAQ D-Merchant (talk to MidasPay first)

The exact question count of each SAQ is set by the PCI SSC and changes between PCI DSS versions — consult the current version of the PCI DSS for the definitive numbers.

Prefer a non-CDE integration where possible

Hosted-redirect and iframe integrations keep you out of the most demanding SAQ (D). Unless you have a strong business reason, favour these patterns over taking PAN through your own servers.

Key & credential management

The following must be held in an HSM, KMS, Vault or equivalent:

  • Your merchant RSA-2048 private signing key.
  • The MidasPay platform public certificate(s) you pin when verifying responses and webhooks. Store them by their Txgw-Serial value so rotation can be rolled out smoothly.
  • Merchant Portal passwords & multi-factor backup codes.

Rotation practice

  • Your signing key-pair: rotate periodically per your internal security policy; always rotate immediately on suspicion of compromise.
  • Platform certificates: MidasPay rotates these on its own schedule. Your verifier should lookup the certificate by Txgw-Serial — see Webhooks → Verify signatures and Signature verification.
  • Emergency rotation (suspected leak): revoke the affected credential immediately in the Merchant Portal and contact MidasPay support.

TLS & transport

  • All MidasPay endpoints require HTTPS. Plain HTTP and TLS versions below 1.2 are rejected.
  • Your webhook endpoint must likewise be served over HTTPS with TLS 1.2+.

Logging & monitoring recommendations

For both your own PCI attestation and for incident response, keep logs of:

  • Every outbound API call — request body (minus secrets), response status, MidasPay debug_id from the response, and timestamp.
  • Every inbound webhook — envelope id, Txgw-Timestamp, and whether signature verification passed.
  • Every Merchant Portal login and credential update.

Do not log full PANs, CVVs, full magnetic-stripe data, or authentication data even if your integration momentarily sees them.

Data retention & erasure

  • Order and webhook data retention periods are set by your merchant contract. Sandbox data may be retained for a shorter period than production.
  • Data subject requests (GDPR, CCPA): contact your MidasPay privacy point of contact; MidasPay will process requests in accordance with the Data Processing Addendum in your contract.

Getting your attestation

MidasPay's current Attestation of Compliance (AoC) is available under NDA — request it from your MidasPay merchant manager.

See also