> This is Payabli documentation. For a complete page index, fetch https://docs.payabli.com/llms.txt — append .md to any page URL for lightweight markdown. For section-level indexes, query parameters, and other AI-optimized access methods, see https://docs.payabli.com/ai-agents.md # PCI compliance best practices > Learn how to protect cardholder data and reduce risk in card-not-present environments The Payment Card Industry Data Security Standard (PCI DSS) is a globally recognized framework for protecting cardholder data and reducing payment fraud. It applies to any business that stores, processes, or transmits payment card information, including online, virtual terminal, recurring billing, and invoice-based payment channels. Staying compliant protects your customers' data, reduces fraud and chargebacks, limits operational risk, and keeps your processing relationship in good standing. Using Payabli's [embedded components](/guides/pay-in-components-overview) and [tokenization](/guides/platform-tokenization-overview) keeps card data out of your systems and reduces your PCI scope. The practices below cover the parts of compliance that stay your responsibility as a merchant or partner operating in card-not-present (CNP) environments. This guide provides general best practices for CNP merchants operating on the Payabli platform. It doesn't constitute legal advice. For questions about your specific compliance requirements, reach out to the Payabli team. ## Data and access controls How you store card data and who can reach it are the foundation of PCI compliance. **Card data storage** * Don't store full card numbers in spreadsheets, emails, or written notes. * Don't retain CVV or security codes after authorization. * Don't save card data in unsecured CRM systems or shared drives. * Use [tokenization](/guides/platform-tokenization-overview) or secure vaulting for any recurring billing needs. **Employee access** * Assign individual user logins, and never share credentials. * Enforce strong passwords and multi-factor authentication (MFA). * Limit access to only the employees who need it for their role. * Remove access for terminated or inactive users without delay. **Device and network security** * Keep antivirus software, browsers, and applications updated and patched. * Use encrypted, password-protected Wi-Fi for payment processing. * Change default passwords on all routers and hardware immediately. * Don't process payments over public or unsecured Wi-Fi. ## Secure payment and billing practices How you collect payment information and communicate billing terms affects both your PCI scope and your dispute rate. **Accepted collection methods** * Use hosted payment pages or secure payment links. * Use PCI-compliant virtual terminals. * Let customers enter their own payment information directly. **Methods to avoid** * Collecting card numbers via email or SMS/text message. * Recording payment details over voicemail. * Accepting card data through unsecured web forms. **Customer billing clarity** Many disputes in CNP environments stem from customer confusion, not fraud. Clear billing practices protect both you and your customers. * Disclose billing terms and cancellation policies upfront. * Obtain written or documented customer authorization for recurring charges. * Send receipts and confirmations right after each transaction. * Make sure your billing descriptor matches the name customers recognize. For recurring or membership billing, document cancellation procedures clearly and follow them consistently. Failing to honor cancellations is a leading cause of chargebacks and account risk escalation. ## Monitoring and risk awareness Ongoing monitoring helps you catch problems before they become chargebacks or compliance issues. For more detail on the patterns payment processors watch for, see [Risk and compliance basics](/guides/platform-risk-basics-overview). **Monitor for suspicious activity** Review payment activity on a regular cadence, and investigate any of the following: * Unusual transaction volume spikes * Multiple declined payment attempts in a short window * Mismatched customer billing or shipping information * Excessive refunds or disputes relative to volume * Unrecognized or anomalous transaction patterns **Common CNP risk areas** * Card data shared via text or email * Shared employee credentials * Locally stored card data * Missing cancellation procedures * Unsecured remote devices * Unauthorized automatic billing Any third-party software, CRM, gateway, or integration in your payment environment must support secure payment handling and maintain appropriate security standards. Verify your vendors' compliance status regularly. ## Ongoing compliance checklist Revisit these areas on a regular cadence to keep your compliance current: 1. **Review payment procedures**: Periodically audit how your team collects and handles card data. 2. **Audit employee access**: Confirm role-based access is current and MFA is enforced. 3. **Review billing practices**: Verify descriptors, authorization records, and cancellation workflows are accurate. ## Related resources See these related resources to help you get the most out of Payabli. * **[Payment method tokenization](/guides/platform-tokenization-overview)** - Learn how payment method tokenization secures sensitive data and enhances security for your payments * **[Trust center](/trust-center)** - Review Payabli's security certifications, including PCI DSS Level 1. - **[Risk and compliance basics](/guides/platform-risk-basics-overview)** - Learn about suspicious activity detection and compliance in payment processing