Security standards compliance

Smart Router encrypts all confidential data (such as credit card details) before sending it back to our secure vault for storage and processing. The vault complies with the highest-level security specified by the Payment Card Industry Data Security Standard (PCI DSS). See the security declaration on our main website for full details of our standards and encryption methods.

PCI DSS in your app

To check your compliance with PCI DSS in your own app code, you must follow the appropriate self-assessment questionnaire (SAQ).

If your app uses only ProcessOut.js to tokenize cards and you process fewer than 6 million card transactions per year with any given card scheme then you are covered by SAQ A (ie, card-not-present merchants, all cardholder data functions fully outsourced). This is the easiest SAQ to comply with and requires the least amount of work for you to implement. See the PCI Security Standards Council website for full details of the SAQs and all other aspects of their standards.

EU Payment Services Directive 2

Since 2016, the European Union has enforced Payment Services Directive 2. Among other requirements, this legislation forces PSPs to use strong customer authentication (SCA), a multi-factor authentication that helps improve security for electronic payments. SCA is usually implemented according to a protocol called 3-D Secure 2 (3DS2), which specifies when a transaction carries enough risk to require extra authentication. SCA is required for payments in and out of the EU, the European Economic Area, and the United Kingdom, where PSD2 is enforced by the Financial Conduct Authority.

The good news is that Smart Router is fully compliant with PSD2, SCA and 3DS2 without any extra effort from you while developing your app.