I'm using Recurly.js. What SAQ do I need to fill out?

Recurly.js is our open-source Javascript library that gives you great looking credit card forms to securely create subscriptions, one-time transactions, and update billing information for your customers. The order forms are designed to be fully customized and hosted on your own servers. The cardholder data passes directly from the customer's browser to Recurly. Because the cardholder data does not pass through your servers, your PCI scope is limited.

Merchants using Recurly.js (v4) should be eligible to complete the shortened PCI DSS Self-Assessment Questionnaire A.

Please note, your merchant bank account provider will still require you to be PCI compliant when using Recurly.js. This means using best practices to secure your servers and payment pages from being compromised with cross-site scripting on your payment page.

Regardless of your Recurly integration, your merchant bank account provider will still require you to be PCI compliant, so please be aware of the following updates to PCI DSS:

  • PCI DSS, version 3.2, clarifies many compliance issues and introduces SAQ type A-EP. SAQ A may be completed by merchants linking to 3rd party payment pages (e.g., Recurly's Hosted Payment Pages) and merchants hosting their payment page while using Recurly.js (v4) to secure the billing details. If merchants are hosting their payment page and using an earlier version of Recurly.js (v3 or earlier) to secure the billing details, they should complete SAQ A-EP. Please see the Understanding the SAQs for PCI v3 (pages 4 and 5) for more information.