With Weavr's security model, all PCI-sensitive information is transmitted directly between Weavr and the customer – your application handles only non-sensitive tokens.
Your customers’ card information is highly sensitive. If you have any type of direct access to this information, you are legally bound to be compliant with the PCI DSS standard. However, you can use Weavr’s security model to issue and manage cards for your customers without having access to any PCI-sensitive details.
Payment Card Industry Data Security Standards (PCI DSS) is a set of policies and procedures developed to protect card transactions and prevent misuse of cardholders’ personal information. Anyone involved with the processing, handling, transmission or storage of card data must comply with PCI DSS.
The following card information falls under the PCI-sensitive category:
- End-user password to access card detail information
- The full 16-digit card number
- The 3-digit card verification number (CVV) required to make online purchases
- The card PIN in case of physical cards
With Weavr’s security model, you can include financial capabilities in your application and qualify for the lowest level of PCI compliance. To ensure the simplest possible PCI compliance procedure you should:
- Use Weavr’s security model to deliver card details to your customers
- Ensure that your application is running on HTTPS
- Fill in and submit our pre-filled PCI SAQ form
If your company and application are already PCI DSS certified, you can opt out of using Weavr’s security model. Not having to store PCI-sensitive data is still a benefit but it is not a requirement.
Using the security model
Weavr’s security model tokenises information so that you can transmit it securely. For this to work, you need to integrate your application with Weavr’s security model both on the client-side and on the server-side:
- On the client-side, you need to use Weavr’s UI library to embed secure components for capturing and viewing information.
You can find more information on Weavr’s UI components here.
- On the server-side, you need to send and receive tokens instead of plain text data. In the case of server-side integration, you can use the same APIs independent of whether you use the security model or not. However, if you use the security model, Weavr will expect and return tokenised information for sensitive fields.