Visa Developer Community


PCI complience

I am planning to use CyberSource Payments API. To call this API I need to get electronic cardholder data
from one of my page. I don't store any electronic cardholder data and sole purpose of getting data to call
CyberSource Payments API. In this case will I be in PCI complience SAQ Validation Type A-EP ?

Valued Supporter

Re: PCI complience


CyberSource Flex creates long term tokens. As CVV/CVN is not supposed to be stored post-authorization, it is not tokenized. CVV/CVN should be captured and passed in with the token to the authorization request to CYBS each time. Post-authorization, the CVV/CVN should not be stored for future authorization attempts – it needs to be captured each time from the cardholder.


As CyberSource tokens are secure, and not mathematically related to the underlying PAN, this will not bring the you into PCI DSS scope.


Pleaes let me know if this is helpful. 




Tags (2)