All posts

PCI compliance considerations for API integrations

PCI DSS compliance is one of those topics that makes developers' eyes glaze over — until they realize their API is accidentally logging credit card numbers to CloudWatch. I've been through enough PCI audits to have opinions, and the biggest one is this: the goal isn't to be compliant, it's to stay out of scope entirely.

What PCI DSS means for APIs

PCI DSS (Payment Card Industry Data Security Standard) applies to any system that stores, processes, or transmits cardholder data. If your API touches a card number, expiration date, or CVV at any point — even transiently — you're in scope.

Being "in scope" means your infrastructure, code, deployment processes, access controls, and logging all need to meet PCI requirements. That's a lot of surface area to secure, audit, and maintain. The smart move is to minimize your PCI footprint so as little of your system as possible falls under those requirements.

Tokenization is your best friend

The single most effective thing you can do is never handle raw card data. Use a payment processor's hosted fields or tokenization SDK so that card numbers go directly from the user's browser to the processor. Your server only ever sees a token — an opaque reference that's useless to an attacker.

Stripe, Braintree, Adyen — they all offer this pattern. The card data flows from the client to the processor, you get back a token, and you use that token for charges, refunds, and lookups. Your API never touches the PAN (Primary Account Number), which keeps you at SAQ A or SAQ A-EP instead of the full SAQ D assessment.

If your backend API is receiving raw card numbers from your frontend, stop and rearchitect. The risk reduction from tokenization is worth any refactoring cost.

Encryption: at rest and in transit

In transit: TLS everywhere. Not just on your public-facing endpoints — between internal services too. Mutual TLS (mTLS) between services that handle payment data adds another layer. I've seen teams that encrypt external traffic but send payment tokens over plain HTTP between internal microservices. Don't be that team.

At rest: If you must store any payment-related data (even tokens or last-four digits), encrypt it. Use your cloud provider's KMS for key management rather than rolling your own. Rotate keys on a schedule. And make sure your database backups are encrypted too — that's a common audit finding.

Common mistakes I've seen

Logging card data. This is the most frequent violation. A developer adds request logging middleware, and suddenly full card numbers are sitting in your log aggregator. Always sanitize payment-related fields before logging. Better yet, use an allowlist approach — only log fields you've explicitly marked as safe.

Storing CVVs. PCI DSS is crystal clear: you cannot store CVV/CVC values after authorization. Ever. Not encrypted, not hashed, not "temporarily." If your database has a CVV column, you have a problem.

Passing PAN in query strings. Query parameters end up in access logs, browser history, referrer headers, and CDN logs. Card numbers in URLs are a disaster. Always use POST bodies for sensitive data, and make sure your API design enforces this.

Overly broad access. When every developer on the team has access to the production payment database, your PCI scope includes every one of their workstations. Limit access to the minimum necessary, and audit it regularly.

Scoping: draw the boundary tight

PCI scope isn't all-or-nothing. You can segment your network so that only a small, well-defined set of systems are in scope. The key techniques:

  • Network segmentation — Put payment-handling services in their own VPC or subnet with strict firewall rules.
  • Service isolation — Your payment service should be a separate, small service with a minimal API surface. Don't bolt payment processing onto your monolith.
  • Data flow mapping — Document exactly where cardholder data enters, moves through, and exits your system. Auditors love this, and building it forces you to find scope creep.

Working with payment processors

The best payment processors are partners in keeping you out of scope. When evaluating processors, ask:

  • Do they offer client-side tokenization?
  • Can they handle 3D Secure / SCA flows without card data touching your servers?
  • Do they provide PCI attestation documentation you can reference in your own assessment?
  • What does their webhook payload contain? (Some processors include masked card data in webhooks — make sure you're not inadvertently storing it.)

My approach is to treat the payment processor as the system of record for all card-related data. My systems store tokens, transaction IDs, and references. If I need card details for display, I fetch masked data from the processor on demand rather than caching it locally.

PCI compliance doesn't have to be painful if you design for it from the start. Keep card data off your servers, encrypt everything, log carefully, and draw your scope boundary as tight as possible. Your future self — and your auditor — will thank you.