Learn about basic compliance and data standards for payment processing

If your app accesses cardholder and credit card information, you’re legally required to protect that financial data.

Here’s a basic overview of compliance and data storage rules. This applies to all apps using the QuickBooks Payments API to process payments via credit card. Keep in mind, this is a general overview. There may be additional rules and standards for the industries you design your app for.

All apps that use the QuickBooks Payments API to access credit card and cardholder info must follow the Payment Application Data Security Standard (PA DSS). This is a broad standard established by the credit card industry. It defines what credit card info is and how it must be handled.

For details, refer to the Payment Card Industry (PCI) Security Standards Council website.

Your app shouldn’t store credit card security codes (CVC2, CVV2, and so on).

It also shouldn’t store Track2 data.

Any transaction data brought into a user’s QuickBooks Online company must mask credit card numbers. At minimum:

• All numbers, except the last four digits, must be lowercase x. For example: xxx-xxx-1234.
• Don’t use dashes.

At minimum, your app:

• Must include a ReCAPTCHA system to help detect and prevent fraudulent transactions.
• Must encrypt access tokens before storing them.
• Can store the access tokens in volatile memory only.
• May not automate any part of the merchant application authorization user interface.
• May not request and/or store users’ Intuit ID (identified by the sub field).

If your app doesn’t comply with these rules, it may lose access to QuickBooks Payments services and the QuickBooks Payments API.

If your app uses tokens to mask data, it must comply with the Payment Application Data Security Standard (PA DSS).

For details, refer to the Payment Card Industry (PCI) Security Standards Council website.