For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Dev Portal
DocsAPI ReferenceLearnCommunityChangelog
DocsAPI ReferenceLearnCommunityChangelog
  • Overview
    • Quick Start
    • Sandboxes
    • Tools & SDKs
    • Support
  • Docs
      • Getting Started
        • Introduction to Headless Commerce
        • Creating Channels
        • Orders
        • Customers
        • PCI Compliance
        • Routes
        • Using API Site Content
    • Archive
    • Closed Beta Programs
Dev Portal
LogoLogo
On this page
  • What is PCI DSS
  • Who is responsible
  • Resources
DocsStorefrontHeadless

PCI Compliance

Was this page helpful?
Previous

Managing customers

Next

Routes

Built with

This section covers the Payment Card Industry Data Security Standard compliance and your responsibilities as a third-party developer.

What is PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that all companies that process, store, or transmit credit card information maintain a secure environment. For an in-depth guide to what PCI DSS is, how to achieve it for your business, and a compliance checklist, see Everything You Need to Know About Achieving PCI Compliance.

Who is responsible

BigCommerce is a PCI DSS compliant service provider and validates annually all requirements (1-12) including as a shared hosting provider. BigCommerce’s PCI DSS Attestation of Compliance (AOC) describes the technology stack certified annually.

Merchants can use BigCommerce’s PCI DSS AOC to satisfy the compliance requirements for the part that outlines its responsibilities. To learn more about showing proof of compliance, see Showing Compliance.

If your application handles credit card data, you will need to be PCI compliant. Submit self-assessment questionnaires (SAQs) to compliance@bigcommerce.com.

BigCommerce is responsible for maintaining secure handling of credit cards while the payment is en route from payment request to payment processors. Merchants, service providers, and other entities involved with payment card processing must never store sensitive authentication data after authorization. This includes the 3- or 4- digit security code printed on the front or back of a card, the data stored on a card’s magnetic stripe or chip (also called “Full Track Data”) – and personal identification numbers (PIN) entered by the cardholder. As a third-party developer, it is your responsibility to program the storefronts and recurring billing apps in a PCI-compliant manner. If development affects the flow of sensitive credit card data, you will need to maintain a PCI compliance certification for third-party service providers certified by an external Qualified Security Assessor (QSA).

For information on processing payments, see PCI compliance (Payments API). For general information, including a detailed table of compliance responsibilities, see our article in the Help Center.

The way your business consumes the SDKs (either BigCommerce as a storefront and backend or BigCommerce as a backend ) determines BigCommerce’s responsibilities; It is possible to use one more of BigCommerce’s technology stack at the same time. Your PCI DSS compliance responsibilities will be a combination of each stack consumed.

Resources

  • Maintaining Payment Security
  • Merchants Classification Levels Visa
  • Merchants Classification Levels Mastercard
  • Payments API
  • Self Assessment Questionnaire (SAQ) Types and Identifying which SAQ is for you