API SAQ Guide

This guide is for merchants and integrators whose servers handle PAN or sensitive authentication data before sending it to CityPay APIs.

Where the merchant server handles PAN or sensitive authentication data, the merchant environment is in PCI DSS scope and SAQ D Merchant is usually required. This may apply to ecommerce API integrations and MOTO API integrations.

Part 2a - Merchant business payment channels

Tick the channels that apply:

E-Commerce
Mail Order/Telephone Order

Only tick channels that are part of the assessed implementation.

Part 2b - Description of role with payment cards

The merchant accepts card-not-present transactions using a server-side integration to CityPay APIs. For the assessed payment flow, merchant systems receive, process or transmit PAN and/or sensitive authentication data before submitting payment requests to CityPay Limited for authorisation and processing. CityPay Limited provides payment gateway, PSP, TPSP and processing services, but the merchant systems that handle account data remain in PCI DSS scope.

Part 2c - Description of payment card environment

The assessed environment includes merchant applications, servers, databases, networks, logging systems, deployment pipeline, administrative access and supporting services that can store, process, transmit, secure or affect PAN or sensitive authentication data before it is sent to CityPay. CityPay receives the payment request from the merchant server and performs gateway, authorisation and processing services.

Part 2f - Third-party service providers

Also list hosting providers, infrastructure providers, managed service providers, developers, support providers and any third party that can affect the cardholder data environment.

Eligibility notes

SAQ D Merchant is the broad merchant SAQ for environments that do not qualify for a reduced SAQ type. If a merchant server handles PAN or sensitive authentication data, do not describe the flow as fully outsourced payment capture.

Scope and segmentation

Document where PAN and sensitive authentication data enter, move through and leave the merchant environment. Include network diagrams, data-flow diagrams, segmentation controls, and any systems connected to or able to affect the cardholder data environment.

Storage and logging

Confirm whether PAN is stored. Sensitive authentication data such as CVV must not be stored after authorisation. Review application logs, error traces, analytics, support tooling and database backups to confirm account data is not captured unexpectedly.

Secure systems and software

Evidence should cover secure development, vulnerability management, patching, change control, dependency review, code review, secrets management, and protection of API credentials.

Access control

Evidence should cover unique user IDs, MFA where required, least privilege, access reviews, leaver removal, privileged access management and administrative access to systems in scope.

Vulnerability scanning and testing

Include ASV scans where applicable, internal vulnerability scanning, penetration testing where required, remediation records and testing after significant changes.

TPSP management and incident response

Maintain a TPSP list including CityPay Limited, written agreement or terms with CityPay, evidence of CityPay PCI DSS compliance for API services, annual TPSP review, and an incident response plan that includes CityPay, acquirer and payment-brand escalation.

Retain:

• CityPay AOC or PCI DSS compliance confirmation
• API integration documentation
• cardholder data-flow diagrams
• network diagrams and segmentation evidence
• inventory of systems in the cardholder data environment
• storage and logging review evidence
• vulnerability scans and penetration testing evidence where required
• patching and change records
• access control and leaver review records
• incident response plan
• TPSP list and annual review