PCI Compliance

1. No Cardholder Data Stored

PayXT operates strictly as an invoice generation and link-routing interface. When a client pays an invoice generated by our software, they do so directly on the secure checkout pages hosted by Stripe or PayPal. We do not collect, view, or retain Primary Account Numbers (PAN), CVV codes, or expiration dates.

2. PCI Level 1 Payment Partners

We rely on enterprise-grade payment gateways to handle all financial transactions. The APIs we integrate with are certified to the highest standards in the payment industry:

• Stripe: Certified as a PCI Level 1 Service Provider. Stripe forces HTTPS for all services using TLS (SSL) and encrypts all card numbers at rest.
• PayPal: A fully PCI-DSS compliant payment processor that handles the secure routing and tokenization of all credit card data.

3. Security of Your API Keys

While we do not store credit card data, we do store the API keys necessary to connect your PayXT dashboard to your payment gateways. To protect this data:

• Your API keys are stored in private, authenticated cloud databases (Firebase).
• Read and write access to your specific data vault is strictly enforced by Firebase Authentication rules, ensuring only your logged-in session can access your keys.
• All communication between the PayXT app and our backend servers occurs over secure, encrypted HTTPS channels.

Restricted Keys & Device Security: To maximize security, we strongly require users to generate and provide "Restricted API Keys" (keys with limited read/write permissions) rather than standard Secret Keys. Furthermore, you are responsible for utilizing device-level security (e.g., biometrics, PIN codes) on your mobile device. We are not liable for unauthorized transactions resulting from a compromised user device, your failure to use restricted keys, or unauthorized access to third-party cloud infrastructure.

4. Merchant Responsibilities (SAQ-A)

Because PayXT routes your clients to Stripe or PayPal checkout pages (rather than capturing card data natively on our app), the PCI compliance burden on you as a merchant is significantly reduced.

In most cases, merchants using this method are eligible for the PCI SAQ-A (Self-Assessment Questionnaire A). However, it is your responsibility to ensure your Stripe or PayPal account maintains good standing and that you complete any annual compliance questionnaires required directly by your payment processor.

5. Contact Our Security Team

If you have questions regarding our security architecture, data handling practices, or vulnerability reporting, please contact us: