Managing PCI Compliance

Learn how to comply with the PCI DSS using Finix.

To process payments, your users need to validate compliance with PCI DSS annually. Users validate compliance by completing a Self-Assessment Questionnaire (SAQ).

Users include any entity that stores, processes, or transmits credit card data. For more information about PCI compliance, see PCI DSS Compliance.

Creating Compliance Forms

When a user gets successfully onboarded, Finix’s API will generate the necessary PCI Compliance Form pre-filled with the user’s information. Each Compliance Form is uniquely associated with the user.

  • If your users are processing Card Not Present transactions, Finix will generate a pre-filled SAQ Questionnaire with type pci_saq_a . For an example see this sample SAQ A form from the PCI Council.

Finix users must validate PCI compliance within 90 days of being onboarded by completing the necessary Compliance Form.

  • The specific date the Compliance Form needs to be completed by can be found in due_at .
  • Users must complete and attest to a new Compliance Form annually.

Viewing Compliance Forms

A webhook notifies you when Finix creates a Compliance Form.

Use the id in the webhook to fetch the Compliance Form resource from the /compliance_forms/:COMPLIANCE_FORM_ID: endpoint.

curl \
    -H "Content-Type: application/json" \
    -H 'Finix-Version: 2022-02-01' \
    -u  USj46WbwgnjapmdYFnEDP3Ec:b9b4042c-9621-438d-a84b-8557d4bda84d

Example Response

  "id" : "cf_fEojUGLjwUiqNTBp68JWq8",
  "created_at" : "2022-06-22T01:20:12.439149Z",
  "updated_at" : "2022-09-07T20:54:08.411908Z",
  "application_id" : "APdoThHn4jjYUSxQf76txAgg",
  "linked_to" : "MUfnskvHiiDgP7x3TVL2LkG3",
  "linked_type" : "MERCHANT",
  "type" : "PCI_SAQ_A",
  "version" : "2018.5",
  "valid_from" : "2022-06-22T01:20:12.978825Z",
  "valid_until" : "2023-06-22T01:20:12.97883Z",
  "tags" : {
    "is_accepted" : false,
    "name" : "JWOJOJ",
    "signed_at" : null,
    "ip_address" : null,
    "title" : null,
    "user_agent" : null
  "pci_saq_a" : {
    "name" : null,
    "signed_at" : null,
    "user_agent" : null,
    "ip_address" : null,
    "is_accepted" : false,
    "title" : null
  "due_at" : "2022-09-20T01:20:12.430835Z",
  "compliance_form_template" : "cft_wua8ua1yLAcHRK9mx2mF9K",
  "files" : {
    "unsigned_file" : "FILE_fFGMCY4sxGYTqpjnXh54kC",
    "signed_file" : null
  "state" : "INCOMPLETE"

HTTP Request


Completing Compliance Forms

As part of onboarding your users, you'll need to build a UI experience that allows users to complete the PCI Compliance Form and download the form as a PDF if requested.

To complete PCI compliance forms:

  1. Get the Compliance Form generated for the merchant using the id from the webhook and present the form to your users when requested.
  2. Show your users the required text to obtain consent.
  3. Submit a PUT API request with the necessary attestation information.

Obtaining Compliance Consent

You need to present your users a link so they can view the compliance form. Users must explicitly consent to the form before you can submit the attestation PUT request to Finix.

To obtain your users' consent, you must present the following text alongside the link to the compliance form:

By submitting this Self-Assessment Questionnaire, I certify that I am an authorized representative of the company and that all the information submitted is true and correct.

Completing the Questionnaire

To complete and submit the questionnaire, update Compliance Form with the required pci_saq_a information. Updating the Compliance Form with this information will update state from INCOMPLETE to COMPLETED.

curl \
    -H "Content-Type: application/json" \
    -H 'Finix-Version: 2022-02-01' \
    -u  USdCBTiL4BwY9jJ6Mq12ymrW:d294d534-b1f7-473b-bc56-7f76ccb011e7 \
    -X PUT \
    -d '
        "pci_saq_a": {
         "name": "John Smith",
         "signed_at": "2022-03-18T16:42:55Z",
         "title": "CTO",
         "user_agent": "Mozilla 5.0(Macintosh; IntelMac OS X 10 _14_6)"

Example Response

       "id": "cf_bcu8rBtpCFJVuRpgCxt4HS",
       "created_at": "2021-08-15T18:26:56.15Z",
       "updated_at": "2021-07-T15:26:56.15Z",
       "application_id": "APdoThHn4jjYUSxQf76txAgg",
       "compliance_form_template": "cft_u56ZGx3Xb6U9gAqKfgNisd",
       "due_at": "2021-11-13T15:26:56.15Z",
       "files": {
         "unsigned_file": "FILE_qf952xmeuiF179wdMiPXrW",
         "signed_file": "FILE_mmRiDs7YaSsqjP727gWD84"
       "linked_to": "MUas8jhZf3bWsqyp8neX3UwN",
       "linked_type": "MERCHANT", 
       "pci_saq_a": {
         "name": "John Smith",
         "signed_at": "2022-03-18T16:42:55Z",
         "user_agent": "Mozilla 5.0(Macintosh; IntelMac OS X 10 _14_6)",
         "is_accepted": true,
         "title": "CTO" 
       "state": "COMPLETED",
       "tags": {},
       "type": "PCI_SAQ_A",
       "valid_from": "2022-03-18T18:26:56.15Z",
       "valid_until": "2023-03-18T18:26:56.15Z"

HTTP Request



Field Type Description
id string ID of the Compliance Form
created_at string Timestamp of when the Compliance Form was created.
updated_at string Timestamp of when the Compliance Form was last updated.
application_id string The ID of the Application the compliance_form was created under.
compliance_form_template string Template linked to this Compliance Form.
due_at string Timestamp of when the Compliance Form must be completed by.
files object See files.
linked_to string The ID of the Merchant linked to the Compliance Form.
linked_type string The type of resource this Compliance Form is linked to.
pci_saq_a string See pci_saq_a.
state string The state of the Compliance Form. There are three available values: PENDING, COMPLETED, or INVALID.
type string Type of Compliance Form. There is one available value: PCI_SAQ_A
valid_from string Timestamp of when the Compliance Form becomes active and valid.
valid_until string Timestamp of when the Compliance Form is no longer active and valid.
Field Type Description
ip_address string IP address of the person attesting to this Compliance Form
is_accepted boolean If all pci_saq_a fields are all submitted, is_accepted updates to true.
name string Name of the person completing (aka attesting to) the Compliance Form
signed_at string Timestamp of the person attesting to this Compliance Form
user_agent string User agent of the person attesting to this Compliance Form
Field Type Description
signed_file string
  • Auto-fills to null.
  • When a complianceform is attested, `signedfilewill contain aFile` corresponding to the signed version of the form.
unsigned_file string ID of the File resource that has the Compliance Form.

Downloading Compliance Forms

Every Compliance Form resource has a file object. The File object has a File ID available in:

  • unsigned if the user hasn't completed the form
  • signed if the user has completed the form.

Use the File ID to download the file for your user or fetch it to display the PDF in their browser.

Renewing Compliance

To stay PCI compliant, you and your users need to validate compliance annually by completing the SAQ questionnaire. When the valid_to date passes (i.e. the valid_to date is greater than today’s date), Finix will generate a new Compliance Form with new valid_from and valid_to timestamps.