To process payments, your users must attest to compliance with PCI DSS within 90 days of merchant approval, and annually thereafter. Users validate compliance by completing a Self-Assessment Questionnaire (SAQ). In this guide, you can learn how to comply with the PCI DSS using Finix.
“Users" include any entity that stores, processes, or transmits credit card data. For more information about PCI compliance, see PCI DSS Compliance.
The PCI compliance lifecycle consists of the following steps:
The compliance form is generated and pre-populated with business data.
Users review the form to verify the business details.
Users provide additional details and submit the form, attesting to its accuracy.
After submission, the system marks the form as signed and makes a PDF available for download.
Compliance forms must be completed within 90 days of onboarding and renewed annually thereafter.
Manual uploads of signed forms are not supported. Signing must be completed directly through the Finix Dashboard or API.
The following points outline key aspects of compliance forms:
- Upon successful onboarding, Finix’s API generates the required PCI compliance form pre-filled with your business information. Each Compliance Form is uniquely associated with your account.
- If your users are processing Card Not Present transactions, Finix will generate a pre-filled SAQ Questionnaire with type
pci_saq_a. For example, see the following sample SAQ A form from the PCI Council. - You must validate PCI compliance by completing the Compliance Form within 90 days of onboarding.
- The
due_atfield specifies the deadline for completing the Compliance Form. - Users must attest to a new Compliance Form annually.
- A fee is assessed for each 30-day period that the Compliance Form remains overdue. For more information, see our Maintaining PCI Compliance guide.
The following describes the process of completing a PCI Compliance Form using the Finix Dashboard.
In a Merchant View dashboard, an overdue compliance form triggers a banner on the Home and Settings > Company pages.
For example, the banner appears on the Home page as follows:
The banner appears on the Settings > Company page as follows:
To complete a compliance form:
Click the Attest to Form button in the banner.
- The Settings > Company > Compliance tab loads.
- Click an overdue compliance form to display its details for review.
The Attestation section provides a link to the Unsigned PDF.
Click the link to review the unsigned compliance form in the browser or download it.
After reviewing the form and confirming all details, click the Attest to Form button.
An Attest Compliance Form modal appears.
- Enter the requested details and click the Attest button.
- A message stating "Compliance form has been attested successfully" appears.
- The compliance form status updates to Completed on the dashboard.
After a few minutes, refresh the page to access the Signed PDF link for viewing or downloading.
The Application or Platform dashboard view enables you to view and manage your users' compliance forms. Alternatively, you can complete compliance forms using the API.
A webhook notification is sent when Finix creates a Compliance Form.
To complete a compliance form:
- From your Finix Dashboard, in the left navigation, expand the Merchants menu and click Compliance.
The Compliance page loads.
From there, you can view or filter your merchants' compliance forms by Overdue or Incomplete status.
Click a compliance form to view its details.
The Attestation section provides a link to the unsigned compliance form in PDF format.
Click the link to review the unsigned compliance form in the browser or download it.
After reviewing and confirming accuracy, click the Attest to Form button.
An Attest Compliance Form modal appears.
- Enter the requested details and click the Attest button.
- A message stating "Compliance form has been attested successfully" appears.
- The compliance form status updates to Completed on the dashboard.
After a few minutes, refresh the page to access the Signed PDF link for viewing or downloading.
The following section describes the process of using the API to complete a PCI Compliance Form. Alternatively, users can review and complete the form using the Finix dashboard.
A webhook notification is sent when Finix creates a Compliance Form. Take note of the compliance form ID in the webhook payload.
Using the compliance form ID from the webhook, retrieve the compliance form resource from the GET /compliance_forms/{compliance_form_id} endpoint.
curl -i -X GET \
-u USfdccsr1Z5iVbXDyYt7hjZZ:313636f3-fac2-45a7-bff7-a334b93e7bda \
https://finix.sandbox-payments-api.com/compliance_forms/cf_uwErNm23TKYNEiqrEdJK59In the response object, the files.unsigned_file property contains the ID of the unsigned compliance form, which can be retrieved and displayed to the user for review. The state property indicates the form is INCOMPLETE.
{
"id": "cf_uwErNm23TKYNEiqrEdJK59",
"created_at": "2025-07-07T18:05:01.96471Z",
"updated_at": "2025-10-16T22:34:05.217688Z",
"linked_to": "MUwfZPNW3r4EqLMzwgr6txw4",
"linked_type": "MERCHANT",
"application": "APc9vhYcPsRuTSpKD9KpMtPe",
"type": "PCI_SAQ_A",
"version": "2018.10",
"valid_from": "2025-09-09T23:17:43.041004Z",
"valid_until": "2026-09-09T23:17:43.041005Z",
"tags": {},
"pci_saq_a": {
"name": "John Smith",
"signed_at": "2022-03-18T16:42:55Z",
"user_agent": "Mozilla 5.0(Macintosh; IntelMac OS X 10 _14_6)",
"ip_address": "42.1.1.113",
"is_accepted": true,
"title": "CTO"
},
"due_at": "2025-10-05T18:05:01.94105Z",
"compliance_form_template": "cft_n6BfvWBVe4iK1HC4n9qN2t",
"files": {
"unsigned_file": "FILE_uyntoF5Y4LDrMDJtA9ujd6",
"signed_file": null
},
"state": "INCOMPLETE"
}Obtain compliance consent as follows:
Provide the user with a link to the unsigned compliance form for review.
Verify that the user is the authorized representative of the company.
Show the user the required text to obtain consent:
By submitting this Self-Assessment Questionnaire, I certify that I am an authorized representative of the company and that all the information submitted is true and correct.
The user reviews the unsigned compliance form, submits the self-assessment questionnaire, and attests to its accuracy.
Once consent is obtained, send a request to the PUT /compliance_forms/{compliance_form_id} endpoint to complete the compliance form, passing the compliance form ID as a path parameter. Include details about the signee's digital signature in the pci_saq_a object.
curl -i -X PUT \
-u USfdccsr1Z5iVbXDyYt7hjZZ:313636f3-fac2-45a7-bff7-a334b93e7bda \
https://finix.sandbox-payments-api.com/compliance_forms/cf_uwErNm23TKYNEiqrEdJK59 \
-H 'Content-Type: application/json' \
-d '{
"pci_saq_a": {
"ip_address": "42.1.1.113",
"name": "John Smith",
"signed_at": "2022-03-18T16:42:55Z",
"title": "CTO",
"user_agent": "Mozilla 5.0(Macintosh; IntelMac OS X 10 _14_6)"
}
}'In the response object, the files.signed_file property contains the ID of the signed compliance form available for download. The state property indicates the form is COMPLETED.
{
"id": "cf_uwErNm23TKYNEiqrEdJK59",
"created_at": "2025-07-07T18:05:01.96471Z",
"updated_at": "2025-10-16T22:34:05.217688Z",
"linked_to": "MUwfZPNW3r4EqLMzwgr6txw4",
"linked_type": "MERCHANT",
"application": "APc9vhYcPsRuTSpKD9KpMtPe",
"type": "PCI_SAQ_A",
"version": "2018.10",
"valid_from": "2025-09-09T23:17:43.041004Z",
"valid_until": "2026-09-09T23:17:43.041005Z",
"tags": {},
"pci_saq_a": {
"name": "John Smith",
"signed_at": "2022-03-18T16:42:55Z",
"user_agent": "Mozilla 5.0(Macintosh; IntelMac OS X 10 _14_6)",
"ip_address": "42.1.1.113",
"is_accepted": true,
"title": "CTO"
},
"due_at": "2025-10-05T18:05:01.94105Z",
"compliance_form_template": "cft_n6BfvWBVe4iK1HC4n9qN2t",
"files": {
"unsigned_file": "FILE_uyntoF5Y4LDrMDJtA9ujd6",
"signed_file": "FILE_6U26h97cpuKmxqdE27KZh7"
},
"state": "COMPLETED"
}With the ID of the signed compliance form specified in files.signed_file, download the signed compliance form by retrieving the file resource from the GET /files/{file_id} endpoint.
curl "https://finix.sandbox-payments-api.com/files/FILE_6U26h97cpuKmxqdE27KZh7/download" \
-H "Finix-Version: 2022-02-01" \
-u USfdccsr1Z5iVbXDyYt7hjZZ:313636f3-fac2-45a7-bff7-a334b93e7bdaThe previous API request returns the binary PDF of the signed compliance form. To stream the file in the browser, add the query parameter ?stream=true to the URL. This instructs the API to stream the file inline so the client, such as a web browser, can render it directly.
To save the file to a local directory, use the -o Curl argument (for example, -o compliance_form.pdf).
To maintain PCI compliance, users must validate compliance annually by completing the SAQ questionnaire. When the valid_until date passes, Finix generates a new unsigned Compliance Form with updated valid_from and valid_until timestamps.
See our Maintaining PCI Compliance guide how how to avoid overdue fees.