Managing PCI Compliance

Learn how to comply with the PCI DSS using Finix.

To process payments, your users need to validate compliance with PCI DSS annually. Users validate compliance by completing a Self-Assessment Questionnaire (SAQ).

Users include any entity that stores, processes, or transmits credit card data. For more information about PCI compliance, see PCI DSS Compliance.

Creating Compliance Forms

When a user gets successfully onboarded, Finix’s API will generate the necessary PCI Compliance Form pre-filled with the user’s information. Each Compliance Form is uniquely associated with the user.

If your users are processing Card Not Present transactions, Finix will generate a pre-filled SAQ Questionnaire with type pci_saq_a . For an example see this sample SAQ A form from the PCI Council.

Finix users must validate PCI compliance within 90 days of being onboarded by completing the necessary Compliance Form.

The specific date the Compliance Form needs to be completed by can be found in due_at .
Users must complete and attest to a new Compliance Form annually.

Viewing Compliance Forms

A webhook notifies you when Finix creates a Compliance Form.

Use the id in the webhook to fetch the Compliance Form resource from the /compliance_forms/:COMPLIANCE_FORM_ID: endpoint.

Copy

Copied

curl https://finix.sandbox-payments-api.com/compliance_forms/cf_fEojUGLjwUiqNTBp68JWq8 \
    -H "Content-Type: application/json" \
    -H 'Finix-Version: 2022-02-01' \
    -u  USj46WbwgnjapmdYFnEDP3Ec:b9b4042c-9621-438d-a84b-8557d4bda84d

Example Response

Copy

Copied

{
  "id" : "cf_fEojUGLjwUiqNTBp68JWq8",
  "created_at" : "2022-06-22T01:20:12.439149Z",
  "updated_at" : "2022-09-07T20:54:08.411908Z",
  "application_id" : "APdoThHn4jjYUSxQf76txAgg",
  "linked_to" : "MUfnskvHiiDgP7x3TVL2LkG3",
  "linked_type" : "MERCHANT",
  "type" : "PCI_SAQ_A",
  "version" : "2018.5",
  "valid_from" : "2022-06-22T01:20:12.978825Z",
  "valid_until" : "2023-06-22T01:20:12.97883Z",
  "tags" : {
    "is_accepted" : false,
    "name" : "JWOJOJ",
    "signed_at" : null,
    "ip_address" : null,
    "title" : null,
    "user_agent" : null
  },
  "pci_saq_a" : {
    "name" : null,
    "signed_at" : null,
    "user_agent" : null,
    "ip_address" : null,
    "is_accepted" : false,
    "title" : null
  },
  "due_at" : "2022-09-20T01:20:12.430835Z",
  "compliance_form_template" : "cft_wua8ua1yLAcHRK9mx2mF9K",
  "files" : {
    "unsigned_file" : "FILE_fFGMCY4sxGYTqpjnXh54kC",
    "signed_file" : null
  },
  "state" : "INCOMPLETE"

HTTP Request

GET https://finix.sandbox-payments-api.com/compliance_forms/:COMPLIANCE_FORM_ID:

Completing Compliance Forms

As part of onboarding your users, you'll need to build a UI experience that allows users to complete the PCI Compliance Form and download the form as a PDF if requested.

To complete PCI compliance forms:

Get the Compliance Form generated for the merchant using the id from the webhook and present the form to your users when requested.
Show your users the required text to obtain consent.
Submit a PUT API request with the necessary attestation information.

Obtaining Compliance Consent

You need to present your users a link so they can view the compliance form. Users must explicitly consent to the form before you can submit the attestation PUT request to Finix.

To obtain your users' consent, you must present the following text alongside the link to the compliance form:

By submitting this Self-Assessment Questionnaire, I certify that I am an authorized representative of the company and that all the information submitted is true and correct.

Completing the Questionnaire

To complete and submit the questionnaire, update Compliance Form with the required pci_saq_a information. Updating the Compliance Form with this information will update state from INCOMPLETE to COMPLETED.

Copy

Copied

curl https://finix.sandbox-payments-api.com/compliance_forms/cf_bcu8rBtpCFJVuRpgCxt4HS \
    -H "Content-Type: application/json" \
    -H 'Finix-Version: 2022-02-01' \
    -u  USdCBTiL4BwY9jJ6Mq12ymrW:d294d534-b1f7-473b-bc56-7f76ccb011e7 \
    -X PUT \
    -d '
    {
        "pci_saq_a": {
         "ip_address":"42.1.1.112",
         "name": "John Smith",
         "signed_at": "2022-03-18T16:42:55Z",
         "title": "CTO",
         "user_agent": "Mozilla 5.0(Macintosh; IntelMac OS X 10 _14_6)"
       }
    }'

Example Response

Copy

Copied

{
       "id": "cf_bcu8rBtpCFJVuRpgCxt4HS",
       "created_at": "2021-08-15T18:26:56.15Z",
       "updated_at": "2021-07-T15:26:56.15Z",
       "application_id": "APdoThHn4jjYUSxQf76txAgg",
       "compliance_form_template": "cft_u56ZGx3Xb6U9gAqKfgNisd",
       "due_at": "2021-11-13T15:26:56.15Z",
       "files": {
         "unsigned_file": "FILE_qf952xmeuiF179wdMiPXrW",
         "signed_file": "FILE_mmRiDs7YaSsqjP727gWD84"
        },
       "linked_to": "MUas8jhZf3bWsqyp8neX3UwN",
       "linked_type": "MERCHANT", 
       "pci_saq_a": {
         "name": "John Smith",
         "signed_at": "2022-03-18T16:42:55Z",
         "user_agent": "Mozilla 5.0(Macintosh; IntelMac OS X 10 _14_6)",
         "ip_address":"42.1.1.113",
         "is_accepted": true,
         "title": "CTO" 
        },
       "state": "COMPLETED",
       "tags": {},
       "type": "PCI_SAQ_A",
       "valid_from": "2022-03-18T18:26:56.15Z",
       "valid_until": "2023-03-18T18:26:56.15Z"
     }

HTTP Request

PUT https://finix.sandbox-payments-api.com/compliance_forms/:COMPLIANCE_FORM_ID:

Response

Field	Type	Description
`id`	string	ID of the `Compliance Form`
`created_at`	string	Timestamp of when the `Compliance Form` was created.
`updated_at`	string	Timestamp of when the `Compliance Form` was last updated.
`application_id`	string	The ID of the Application the `compliance_form` was created under.
`compliance_form_template`	string	Template linked to this `Compliance Form`.
`due_at`	string	Timestamp of when the `Compliance Form` must be completed by.
`files`	object	See `files`.
`linked_to`	string	The ID of the `Merchant` linked to the `Compliance Form`.
`linked_type`	string	The type of resource this `Compliance Form` is linked to.
`pci_saq_a`	string	See `pci_saq_a`.
`state`	string	The state of the `Compliance Form`. There are three available values: PENDING, COMPLETED, or INVALID.
`type`	string	Type of `Compliance Form`. There is one available value: PCI_SAQ_A
`valid_from`	string	Timestamp of when the `Compliance Form` becomes active and valid.
`valid_until`	string	Timestamp of when the `Compliance Form` is no longer active and valid.

pci_saq_a

Field	Type	Description
`ip_address`	string	IP address of the person attesting to this `Compliance Form`
`is_accepted`	boolean	If all `pci_saq_a` fields are all submitted, `is_accepted` updates to true.
`name`	string	Name of the person completing (aka attesting to) the `Compliance Form`
`signed_at`	string	Timestamp of the person attesting to this `Compliance Form`
`user_agent`	string	User agent of the person attesting to this `Compliance Form`

Files

Field	Type	Description
`signed_file`	string	Auto-fills to null. When a complianceform is attested, `signedfile`will contain a`File` corresponding to the signed version of the form.
`unsigned_file`	string	ID of the `File` resource that has the `Compliance Form`.

Downloading Compliance Forms

Every Compliance Form resource has a file object. The File object has a File ID available in:

unsigned if the user hasn't completed the form
signed if the user has completed the form.

Use the File ID to download the file for your user or fetch it to display the PDF in their browser.

Renewing Compliance

To stay PCI compliant, you and your users need to validate compliance annually by completing the SAQ questionnaire. When the valid_to date passes (i.e. the valid_to date is greater than today’s date), Finix will generate a new Compliance Form with new valid_from and valid_to timestamps.