Your Trust in Our Security is Important

Security compliance matters to your customers, and it will certainly matter to your business. 

By partnering with eWAY, you'll enjoy the highest level of PCI-DSS compliance on the planet. eWAY is tier-one PCI DSS compliant, and has the same levels of data security as the largest banks in the world. 

PCI DSS Self-Assessment Questionnaires (SAQs)

What are PCI DSS SAQs?

The PCI DSS Self-Assessment Questionnaires (SAQs) are validation tools intended to assist merchants and service providers in self-evaluating their compliance with the PCI DSS (Payment Card Industry Data Security Standards). There are multiple versions of the PCI DSS SAQs to meet various scenarios.

Do I need them?

All payment gateways and merchant banks are required to have their merchants complete at least one of the SAQ forms, listed to the left.

Which Ones?

As a merchant who is accepting card transactions your bank will require you to complete the correct PCI DSS SAQ for the API type that you are integrating with.

This table is a list of eWAY’s API’s and the relevant SAQ that you must complete. Please note that this only applies to when you are accepting your customer’s card information. Subsequent recurring or token transactions processed without requiring the customer to enter their card number are not included in your compliance.


How to Quickly & Easily Become PCI Compliant

The easiest and fastest way to become PCI Compliant is to use eWAY's solutions as we're tier 1 PCI Compliant. You can integrate to hosted solutions (such as Xero or Shopify), or in just a few simple steps integrate to eWAY's iFrame solution.

If you do need to complete an SAQ form - don't panic. eWAY can help you with this. We're here for you every step of the way.

PCI DSS SAQ Forms Required


eWAY Rapid APIs
  • Responsive Shared Page - SAQ A (14 requirements)
  • Rapid iFrame - SAQ A (14 requirements)
  • Transparent Redirect - SAQ A - EP (140 requirements)
  • Client Side Encryption - SAQ A - EP (140 requirements)
  • Direct Payments - SAQ D (326 requirements) 
  • MOTO within MYeWAY - SAQ C - VT (73 requirements)
  • PayNow Button - SAQ A (14 requirements) 


Legacy APIs
  • Direct XML - SAQ D (326 requirements)
  • Direct XML Stored - SAQ D (326 requirements)
  • Direct PreAuth XML - SAQ D (326 requirements)
  • Shared Payments - SAQ A (14 requirements)
  • Managed Payments Token Web Service - SAQ D (326 requirements)
  • Rebill XML API - SAQ D (326 requirements)
  • Rebill Web Service - SAQ D (326 requirements)

Seem confusing? That's OK, eWAY has the team available to help you every step of the way. Contact us now to discuss your PCI DSS Compliance. ​

More Information on Each SAQ Form


(14 Requirements)

This SAQ applies to merchants who have fully outsourced their website or card payment forms to a third party provider. In the case of a compliant SaaS application such as Xero or Shopify you will be required to provide your bank with their PCI compliance certificate.

 Outsourcing your payment form to eWAY includes using our Rapid Responsive Shared Page, Rapid iFrame or Rapid Pay Now button.

 This is the shortest possible questionnaire that you can complete and is the preferred solution for merchant banks.


(140 Requirements)

This SAQ applies to merchants who are hosting the card payment form, however the form sends card information directly to eWAY from the client’s browser. This ensures that whilst the server controls the payment form, it never receives the card information and is therefore not at risk of storing card data.

The requirements in this form will require you to have an above-average hosting environment including advanced firewall configurations, segregation of server tasks (separate web/database/dns servers and appropriate security/access controls) and many other documented procedures and security policies.


(326 Requirements)

This SAQ applies to merchants who’s servers are processing, transmitting or storing card information obtained in their payment forms. Any “direct” API’s where the server connects to eWAY to process transactions will be included in this SAQ form.

As the SAQ D is for all merchants not falling in to another SAQ category, in addition to the requirements for the SAQ A - EP, the SAQ D covers all possible ways in which card data could be processed, transmitted or stored. Due to the scope of the SAQ D it is strongly recommended that merchants consider their business case for using a Direct API and the possibility of implementing an API that allows completion of either the SAQ A or SAQ A - EP.



(73 Requirements)

This SAQ applies to merchants who are only using a gateway provided virtual terminal. 

As the SAQ C - VT is for merchants who are physically handling card information there are a higher number of requirements. You should speak directly with your merchant bank about best practises for handling of card information with virtual terminal use.