RevKeen Docs
Trust & Security

PCI Compliance

How RevKeen maintains PCI DSS compliance for payment processing

RevKeen is designed so that you can accept payments without handling sensitive card data yourself. This page explains how PCI DSS applies to RevKeen and what it means for your business.

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements that apply to any organization that stores, processes, or transmits cardholder data. It exists to protect customers from fraud and data breaches.

PCI compliance is not optional -- if you accept card payments, you must meet the requirements that apply to your level of card data exposure.

RevKeen's PCI Scope

RevKeen minimizes your PCI scope by ensuring that sensitive card data never touches RevKeen's servers or yours.

How card data flows

Customer's browser  -->  Payment gateway (NMI / processor)  -->  Card networks
                                    |
                              Returns token
                                    |
                              RevKeen stores token only
  1. The customer enters their card details into RevKeen's hosted checkout or an embedded payment form.
  2. Card data is sent directly from the customer's browser to the payment gateway over a TLS-encrypted connection.
  3. The gateway processes the card, returns a token (a non-reversible reference), and sends the transaction result.
  4. RevKeen stores only the token and masked card details (last four digits, card brand, expiration). The full card number never reaches RevKeen.

What RevKeen does NOT store

  • Full card numbers (PAN)
  • CVV / CVC codes
  • PIN data
  • Magnetic stripe data
  • Full track data

SAQ-A Eligibility

Because RevKeen uses hosted checkout and direct-to-gateway tokenization, merchants using RevKeen's standard checkout are eligible for SAQ-A -- the simplest PCI self-assessment questionnaire.

SAQ-A applies when:

  • All payment processing is outsourced to a PCI-compliant service provider.
  • Your website does not directly receive, transmit, or store cardholder data.
  • You use a hosted payment page or iframe-based checkout.

RevKeen's hosted checkout meets all of these criteria.

Tokenization

Tokenization replaces sensitive card data with a non-sensitive token that has no exploitable value if intercepted.

DataStored by RevKeenExample
TokenYestok_abc123def456
Last four digitsYes4242
Card brandYesVisa
ExpirationYes12/2027
Full card numberNoNever stored
CVVNoNever stored

Tokens are gateway-specific and cannot be used outside of your authenticated gateway account. Even if a token were exposed, it could not be used to make a payment without your gateway credentials.

Gateway Handles Card Data

Your payment gateway (such as NMI) is a PCI DSS Level 1 certified service provider. The gateway is responsible for:

  • Receiving and encrypting card data from the customer's browser.
  • Performing authorization and capture with the card networks.
  • Storing card-on-file data securely for recurring payments.
  • Returning tokenized references to RevKeen.

RevKeen communicates with the gateway using server-side API calls authenticated with your gateway credentials, which are stored encrypted in Infisical.

Hosted Checkout Reduces Your PCI Burden

RevKeen's hosted checkout is served from RevKeen's domain. This means:

  • Card fields are rendered by RevKeen, not embedded in your site's DOM.
  • Your servers never see card data, even transiently.
  • You do not need to implement or maintain TLS for payment form endpoints.
  • Your PCI scope is limited to ensuring you use the hosted checkout correctly and do not introduce client-side scripts that intercept card data.

If you use RevKeen's hosted checkout without modification, your PCI obligations are minimal.

What Merchants Need to Do

Even with SAQ-A eligibility, you still have responsibilities:

ResponsibilityDetails
Complete SAQ-A annuallyA short self-assessment questionnaire confirming you meet the basic requirements. Your payment processor or acquiring bank may provide a portal for this.
Use strong passwordsEnsure your RevKeen account and gateway credentials use strong, unique passwords. Enable two-factor authentication where available.
Do not log card dataNever log, email, or store full card numbers -- even temporarily -- in your own systems.
Keep your site secureIf you embed RevKeen checkout links on your website, ensure your site uses HTTPS and is free of malicious scripts that could intercept form data.
Report compromisesIf you suspect a data breach, notify your payment processor and RevKeen immediately.

Custom Integrations

If you use the RevKeen API to build a custom checkout experience instead of the hosted checkout, your PCI scope may increase. Specifically:

  • If card data passes through your servers before reaching the gateway, you may need to complete SAQ-D (the most comprehensive assessment).
  • If you use direct post or iframe-based integration where card data goes directly to the gateway, SAQ-A-EP may apply.

Contact your acquiring bank or a Qualified Security Assessor (QSA) if you are unsure which SAQ applies to your integration.

Edit on GitHub

Security Overview

How RevKeen protects your data and your customers' data

Data Handling

How RevKeen stores, processes, and protects personal and financial data

On this page

What is PCI DSS?RevKeen's PCI ScopeHow card data flowsWhat RevKeen does NOT storeSAQ-A EligibilityTokenizationGateway Handles Card DataHosted Checkout Reduces Your PCI BurdenWhat Merchants Need to DoCustom Integrations