Documentation
Feedback
Guides
API Reference
App Development
Storefront Development
VTEX IO Apps
Troubleshooting
Release Notes
Guides
VTEX Platform Overview
API usage
Getting started
VTEX AI Developer Toolkit
Integration Guides
Catalog
Checkout
Master Data
Payments
Orders
Logistics
B2B
VTEX Sales App
UI Customization
Message Center
Pricing
Promotions
Infrastructure
Search
Recommendations
VTEX Activity Flow
VTEX Ads
VTEX Session
VTEX Shield
Data Protection Plus
VTEX CX Platform (Weni)
CMS
Guides
Payments
Security
PCI - DSS Compliance

PCI DSS Compliance

Learn when PCI DSS certification is required for VTEX payment integrations and how to submit the Attestation of Compliance.

Partners that process credit, debit, or co-branded card transactions must hold a valid Payment Card Industry Data Security Standard (PCI DSS) certification before integrating with the VTEX Payment Gateway. The PCI DSS is an international standard that ensures services can process transactions securely and protect cardholder data.

Who needs PCI DSS certification?

PCI DSS certification is only required for partners that process credit, debit, or co-branded card payments and do not use the Secure Proxy in their integrations.

The certification requirement applies to the entity that receives and processes transactions. If a tech service develops the connector infrastructure but a separate partner processes the transactions, only the partner processing the transactions must be PCI DSS certified.

Requirements

On VTEX, only partners with PCI DSS Level 1 certification (processing more than six million card transactions per year) can integrate their payment connectors.

Partners that use Secure Proxy in the development environment of the connector do not need PCI DSS certification.

If your provider only processes boleto, notes payable, or other redirect-based payment methods, PCI DSS certification is not required. Contact the VTEX Sales Team directly to start the integration.

Self-Assessment Questionnaire (SAQ)

The Self-Assessment Questionnaire (SAQ) is a list of yes-or-no questions designed to help service providers or merchants report the results of their PCI DSS self-assessment.

The SAQ is not accepted in the VTEX integration process.

Attestation of Compliance for Onsite Assessments (AOC)

The Attestation of Compliance for Onsite Assessments (AOC) is a document that declares the compliance status of the service provider or merchant with PCI DSS. It must be signed by a company representative and a Qualified Security Assessor (QSA).

The provider must forward the AOC (Service Provider version) fully completed to VTEX, noting the following points:

Submit the AOC (Service Provider version) fully completed to VTEX. Make sure the following requirements are met:

  • Company Name: The URL field (Part 1a.) must match the company requesting the integration. If the field contains a different name (for example, a company acquired by another), you must send additional documentation proving the relationship between the companies and confirming that the PCI DSS assessment covered the service URL of the provider.
  • Signature: The document must be signed by the company representative and the QSA.
  • Expiration Date: The AOC is valid for one year after the signing date. Do not submit an AOC issued more than 11 months ago (less than 30 days before expiration).

The AOC (Merchant version) is not accepted in the VTEX integration process.

Contributors
3
Photo of the contributor
Photo of the contributor
Photo of the contributor
Was this helpful?
Yes
No
Suggest Edits (GitHub)
Security
« Previous
Secure Proxy
Next »
Contributors
3
Photo of the contributor
Photo of the contributor
Photo of the contributor
Was this helpful?
Suggest edits (GitHub)
On this page