Docschargebeedocs

HomeBillingPaymentsRevRecGrowthReveal
Support

Product Updates

  • Release Notes

Getting Started

  • Overview
  • Chargebee Billing Data Centers
  • Object Relationship Model
  • Understanding Sites
  • Chargebee Tech Glossary
  • Articles and FAQ

Implementing Chargebee

  • Implementation Guide
  • Go-live Checklist
  • Articles and FAQ

AI in Chargebee

  • Chargebee Agents
  • Chargebee Copilot
  • Chargebee MCP Server (Model Context Protocol)

Developer Resources

  • Developer Resources Overview
  • Articles and FAQ

Product Catalog

  • Product Catalog Overview
  • Coupons
  • Articles and FAQ

Subscriptions

  • Working with Subscriptions
  • Billing
  • Orders
  • Articles and FAQ

Customers

  • Managing Customers
  • Account Hierarchy
  • Email Notifications
  • Branding
  • Configure Multiple Languages
  • Articles and FAQ

Entitlements

  • Entitlements Overview
  • Features Overview
  • Feature Management
  • Managing Product Entitlements
  • Subscription Entitlements
  • Customer Entitlements
  • Grandfathering Entitlements
  • Articles and FAQ

Usage Based Billing

  • Understanding Usages
  • Setting up Usage Based Billing
  • Usage Alerts
  • Metered Billing
  • Articles and FAQ

Chargebee CPQ

  • Chargebee CPQ
  • Chargebee CPQ for Salesforce
  • Chargebee CPQ for HubSpot

Invoices, Credit Notes, and Quotes

  • Invoices
  • Credit Notes
  • Quotes [Legacy]
  • Transactions
  • Articles and FAQ

Taxes

  • Overview
  • Configuring Taxes
  • Country-specific Taxes
  • Articles and FAQ

Hosted Capabilities

  • Overview
  • Hosted Checkout
  • Hosted Self-Serve Portal
  • Hosted Pages Features
  • Additional Hosted Pages
  • Payment Components
  • Pricing Table
  • Managing Payments with Chargebee.js
  • Mobile-Optimized Hosted Pages
  • Articles and FAQ

Site Configuration

  • Users & Roles
  • Custom Fields & Metadata
  • Approvals
  • Mandatory Fields
  • File Attachments & Comments
  • Advanced Filter Options
  • Multicurrency Pricing
  • Multi-decimal Support
  • Configuring Reason Codes
  • Events and Webhooks
  • API Keys
  • Time Zone
  • Time Machine
  • Transfer Configurations
  • Articles and FAQ

Multi Business Entity

  • Multi Business Entity Overview
  • Customer Transfer Overview
  • Articles and FAQ

Mobile Subscriptions

  • Overview
  • Omnichannel Subscriptions
  • Omnichannel One-Time Orders
  • Mobile Subscriptions (Legacy)

Reports and Analytics

  • RevenueStory
  • Home Dashboard
  • Frequently Asked Questions
  • FAQs for Classic Reports Sunset
  • Articles and FAQ

Integrations

  • Sales
  • Customer Support and Success
  • Finance
  • Tax
  • Marketing
  • Stitch
  • Collaboration
  • Contract Management
  • Ecommerce Management
  • Articles and FAQ

Data Privacy & Security

  • Two Factor Authentication
  • SAML Single Sign-On
  • System for Cross-Domain Identity Management (SCIM)
  • EU-GDPR
  • Consent Management
  • Personal Data Management
  • Compliance Certificates
  • HIPAA Guidelines
  • PCI Recommendations and Integration Types
  • Articles and FAQ

Data Operations

  • Bulk Operations
  • Migration
  • Articles and FAQ
  1. Billing
  3. Data Privacy & Security
  4. PCI Recommendations and Integration Types
  1. Billing
  3. Data Privacy & Security
  4. PCI Recommendations and Integration Types

PCI Recommendations and Integration Types

This page outlines the various integration methods and their corresponding PCI DSS Self-Assessment Questionnaire (SAQ) recommendations. If your business processes, transmits, or stores customer card information, maintaining compliance with the Payment Card Industry Data Security Standard (PCI DSS) is critical.

Chargebee helps ease the burden of PCI compliance, but it's important to remember that compliance is a shared responsibility between your organization, Chargebee, and your payment gateway.

Consult a QSA

The suggestions on this page are broad guidelines, so they might not fit every business scenario. The SAQ you need depends on your business operations and your merchant bank's criteria. For more specific guidance, consult your merchant bank, or a Qualified Security Assessor (QSA).

PCI DSS v4.0.1 and SAQ A

For businesses eligible for SAQ A, the PCI Security Standards Council has updated SAQ A's scope, removing PCI DSS v4.0.1 Requirements 6.4.3 and 11.6.1—which focus on payment page security—and Requirement 12.3.1, which is related to targeted risk analysis. This modification simplifies compliance requirements for SAQ A merchants.

Chargebee's Hosted payment pages (Standalone Hosted Pages / iFrame)

With this option, you get to offer your customers a native out-of-the-box (OOTB) experience provided by Chargebee to collect the customer's card details. Once the details are collected, the sensitive card information is encrypted and sent to the chosen payment gateway. The processed information from the payment gateway is then sent to Chargebee as a token that is associated with the customer record in Chargebee.

Recommendation- SAQ A compliance

Chargebee.js Card Components + Chargebee API

With this option, you will own and customize/create your own checkout page and use Chargebee.js Card Components to collect customer's card details. Once the customer's credit card details are entered in the Hosted Payment Fields or Components, the sensitive card information is encrypted and sent to the chosen payment gateway. The processed information from the payment gateway is then sent to Chargebee as a Token. The Token should be used in the ‘Create subscription' and ‘Create payment source API' to create subscriptions and payment methods in Chargebee.

Recommendation- SAQ A compliance

Security Considerations

Incorporating scripts from external sources means your site's security depends on their safeguards, which can increase risk. If those external providers are ever breached, unauthorized code could potentially run on your pages. Many websites still depend on external scripts for services like analytics. We recommend limiting their usage whenever you can.

Chargebee API + Any Gateway JS

With this option, you will own and customize/create your own Checkout page and use the provision (Java Script) provided/offered by your chosen payment gateway to collect the customer's card data. Once the customer's credit card details are entered on the Checkout page, the sensitive card information is encrypted and sent to the payment gateway. The processed information from the payment gateway is then shared as a Token. The Token should be used in the ‘Create subscription' and ‘Create payment source API' to create subscriptions and payment methods in Chargebee.

Recommendation- SAQ A compliance

Security Considerations

Incorporating scripts from external sources means your site's security depends on their safeguards, which can increase risk. If those external providers are ever breached, unauthorized code could potentially run on your pages. Many websites still depend on external scripts for services like analytics. We recommend limiting their usage whenever you can.

Card Data Collection at Merchant Website + Chargebee API 

In this option, you'll have to collect the card details at your end, and process it in the following ways - 

  • Transmit the card details to Chargebee,  which will then be encrypted and routed to the chosen payment gateway.

  • Directly transfer the card details to the chosen payment gateway for processing. The processed information from the payment gateway is then shared as a token. The token should be used in the ‘Create subscription' and ‘Create payment source API' to create subscriptions and payment methods in Chargebee.

Recommendation- SAQ D compliance

Chargebee API + Checkout Providers

With this option, you get to offer your customers a checkout experience offered by a third-party ‘Checkout' service provider. On completion of a transaction, you can collect the token created in your chosen gateway account and use the Chargebee SDK (with the language of your preference) to create subscriptions and payment methods in Chargebee.

Recommendation- SAQ A compliance

These suggestions serve as broad guidelines and may not suit every unique business situation. Your required Self-Assessment Questionnaire (SAQ) depends on your business operations and your merchant bank's criteria. For precise guidance, we advise consulting your merchant bank or an accredited PCI-DSS assessor directly.

Articles & FAQs

How is data security handled in Chargebee?

Was this article helpful?