Security

Anyone involved with the processing, transmission, or storage of credit card data must comply with the Payment Card Industry Data Security Standards (PCI DSS). Juspay makes this easy for you to do, and you can set up a fully PCI-compliant integration by taking the following steps:

  • Serve your payment pages securely using Transport Layer Security (TLS) so that they make use of HTTPS
  • Use Juspay's pay-v3.js to render card elements from Juspay iFrame. This ensures that the cardholder data is accepted and transmitted from Juspay's iFrame to Juspay's servers directly.

TLS

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), both frequently referred to as "SSL", are cryptographic protocols that provide communications security over a network. When secured by TLS, connections between a client (e.g., a web browser) and a server (e.g., wikipedia.org) have one or more of the following properties:

  • Privacy - connection through encryption
  • Identity authentication - identification through certificates, and
  • Reliability - dependable maintenance of a secure connection through message integrity checking.

TLS is designed to prevent eavesdropping and tampering. The supported TLS protocols as per the latest standards are - TLS 1.0 (deprecated), TLS 1.1 and TLS 1.2.

Recommended to use TLS 1.2 for maximum security.


A digital certificate - a file issued by a certification authority (CA) - is needed in order to use TLS. When installed, this certificate assures the client that it's really communicating with the server it expects to be talking to, not an impostor. Additionally, your customers are more comfortable sharing sensitive information on pages visibly served over HTTPS, which can help increase your customer conversion rate.

PCI DSS guidelines

So long as you ensure that the cardholder data doesn't come in direct contact with your website or servers, your compliance level can remain the easiest - SAQ A. Any deviation can significantly increase the compliance requirements. We have summarized below various scenarios for your quick reference:

Mechanism Card entry environment Compliance Requirement
Redirection to hosted page User is redirected from your website. User enters complete card data is in payment page rendered from Juspay's domain SAQ - A
Embedded iFrame You embed Juspay's iFrame in your checkout page. User enters complete card data in iFrame served from Juspay's domain SAQ - A
Pay-v2.js Cardholder data is captured on your website but transmitted using Juspay's iFrame SAQ - A EP
Pay-v3.js Juspay renders card input elements as iFrame from Juspay's domain. User data is captured directly in Juspay's iFrame and transmitted using Juspay's iFrame. SAQ - A
Direct Card API You use Juspay's API to send cardholder data SAQ - D

For any queries relating to security, you may write to security@juspay.in.