For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
AI agentsStatus PageContact sales
HomeGuidesDeveloper ToolsChangelogsCookbooks
HomeGuidesDeveloper ToolsChangelogsCookbooks
    • Payabli overview
    • How money moves
    • Payabli glossary
    • Getting started
    • Docs feedback
  • Accept payments
    • Pay In concepts
  • Send payments
    • Pay Out concepts
  • Manage payment operations
    • Pay Ops overview
    • Access PartnerHub or PayHub
      • Risk basics
      • PCI compliance best practices
      • Merchant thresholds
      • Change bank accounts
  • Cross-product features
    • Creator tool
  • Trust and security
    • Trust center
    • Vulnerability disclosure policy

© 2026 Centavo, Inc. All rights reserved | Centavo (DBA Payabli) is a registered Payment Facilitator of PNC Bank, N.A., Pittsburgh, PA. Payabli is a registered ISO/MSP of Merrick Bank, South Jordan, UT.

PayabliTest Cards & AccountsPay In StatusesPay Out StatusesTrust Center
LogoLogo
AI agentsStatus PageContact sales
On this page
  • Data and access controls
  • Secure payment and billing practices
  • Monitoring and risk awareness
  • Ongoing compliance checklist
  • Related resources
Manage payment operationsAdvanced operations

PCI compliance best practices

Learn how to protect cardholder data and reduce risk in card-not-present environments

|View as Markdown|Open in Claude|
Was this page helpful?
Previous

Risk and compliance basics

Next

Understanding thresholds

Applies to:DevelopersPartnersPaypoints

The Payment Card Industry Data Security Standard (PCI DSS) is a globally recognized framework for protecting cardholder data and reducing payment fraud. It applies to any business that stores, processes, or transmits payment card information, including online, virtual terminal, recurring billing, and invoice-based payment channels. Staying compliant protects your customers’ data, reduces fraud and chargebacks, limits operational risk, and keeps your processing relationship in good standing.

Using Payabli’s embedded components and tokenization keeps card data out of your systems and reduces your PCI scope. The practices below cover the parts of compliance that stay your responsibility as a merchant or partner operating in card-not-present (CNP) environments.

This guide provides general best practices for CNP merchants operating on the Payabli platform. It doesn’t constitute legal advice. For questions about your specific compliance requirements, reach out to the Payabli team.

Data and access controls

How you store card data and who can reach it are the foundation of PCI compliance.

Card data storage

  • Don’t store full card numbers in spreadsheets, emails, or written notes.
  • Don’t retain CVV or security codes after authorization.
  • Don’t save card data in unsecured CRM systems or shared drives.
  • Use tokenization or secure vaulting for any recurring billing needs.

Employee access

  • Assign individual user logins, and never share credentials.
  • Enforce strong passwords and multi-factor authentication (MFA).
  • Limit access to only the employees who need it for their role.
  • Remove access for terminated or inactive users without delay.

Device and network security

  • Keep antivirus software, browsers, and applications updated and patched.
  • Use encrypted, password-protected Wi-Fi for payment processing.
  • Change default passwords on all routers and hardware immediately.
  • Don’t process payments over public or unsecured Wi-Fi.

Secure payment and billing practices

How you collect payment information and communicate billing terms affects both your PCI scope and your dispute rate.

Accepted collection methods

  • Use hosted payment pages or secure payment links.
  • Use PCI-compliant virtual terminals.
  • Let customers enter their own payment information directly.

Methods to avoid

  • Collecting card numbers via email or SMS/text message.
  • Recording payment details over voicemail.
  • Accepting card data through unsecured web forms.

Customer billing clarity

Many disputes in CNP environments stem from customer confusion, not fraud. Clear billing practices protect both you and your customers.

  • Disclose billing terms and cancellation policies upfront.
  • Obtain written or documented customer authorization for recurring charges.
  • Send receipts and confirmations right after each transaction.
  • Make sure your billing descriptor matches the name customers recognize.

For recurring or membership billing, document cancellation procedures clearly and follow them consistently. Failing to honor cancellations is a leading cause of chargebacks and account risk escalation.

Monitoring and risk awareness

Ongoing monitoring helps you catch problems before they become chargebacks or compliance issues. For more detail on the patterns payment processors watch for, see Risk and compliance basics.

Monitor for suspicious activity

Review payment activity on a regular cadence, and investigate any of the following:

  • Unusual transaction volume spikes
  • Multiple declined payment attempts in a short window
  • Mismatched customer billing or shipping information
  • Excessive refunds or disputes relative to volume
  • Unrecognized or anomalous transaction patterns

Common CNP risk areas

  • Card data shared via text or email
  • Shared employee credentials
  • Locally stored card data
  • Missing cancellation procedures
  • Unsecured remote devices
  • Unauthorized automatic billing

Any third-party software, CRM, gateway, or integration in your payment environment must support secure payment handling and maintain appropriate security standards. Verify your vendors’ compliance status regularly.

Ongoing compliance checklist

Revisit these areas on a regular cadence to keep your compliance current:

  1. Review payment procedures: Periodically audit how your team collects and handles card data.
  2. Audit employee access: Confirm role-based access is current and MFA is enforced.
  3. Review billing practices: Verify descriptors, authorization records, and cancellation workflows are accurate.

Related resources

See these related resources to help you get the most out of Payabli.

References
  • Payment method tokenization - Learn how payment method tokenization secures sensitive data and enhances security for your payments
  • Trust center - Review Payabli’s security certifications, including PCI DSS Level 1.
Related topics
  • Risk and compliance basics - Learn about suspicious activity detection and compliance in payment processing