# Managing PCI Compliance

To process payments, your users must attest to compliance with PCI DSS within 90 days of merchant approval, and annually thereafter. Users validate compliance by completing a Self-Assessment Questionnaire (SAQ). In this guide, you can learn how to comply with the PCI DSS using Finix.

“Users" include any entity that stores, processes, or transmits credit card data. For more information about PCI compliance, see [PCI DSS Compliance](/guides/managing-operations/security-compliance/pci-dss-compliance).

## The PCI Compliance Lifecycle

The PCI compliance lifecycle consists of the following steps:

1. The compliance form is generated and pre-populated with business data.
2. Users review the form to verify the business details.
3. Users provide additional details and submit the form, attesting to its accuracy.
4. After submission, the system marks the form as **signed** and makes a PDF available for download.
5. Compliance forms must be completed within 90 days of onboarding and renewed annually thereafter.


Compliance Lifecycle
Manual uploads of signed forms are not supported. Signing must be completed directly through the [Finix Dashboard](#completing-compliance-forms-using-the-dashboard) or [API](#completing-compliance-forms-using-the-api).

## Understanding Compliance Forms

The following points outline key aspects of compliance forms:

- Upon successful onboarding, Finix’s API generates the required PCI compliance form pre-filled with your business information. Each Compliance Form is uniquely associated with your account.
- If your users are processing Card Not Present transactions, Finix will generate a pre-filled SAQ Questionnaire with type `pci_saq_a`. For example, see the following sample [SAQ A form](https://www.pcisecuritystandards.org/documents/PCI-DSS-v3_2_1-SAQ-A.pdf) from the PCI Council.
- You must validate PCI compliance by completing the Compliance Form within 90 days of onboarding.
- The `due_at` field specifies the deadline for completing the Compliance Form.
- Users must attest to a new Compliance Form annually.
- A fee is assessed for each 30-day period that the Compliance Form remains overdue. For more information, see our [Avoiding Compliance Overdue Fees](/guides/managing-operations/security-compliance/avoiding-compliance-overdue-fees) guide.


## Completing Compliance Forms using the Dashboard

The following describes the process of completing a PCI Compliance Form using the Finix Dashboard.

### Merchant View Dashboard

In a Merchant View dashboard, an overdue compliance form triggers a banner on the **Home** and **Settings** > **Company** pages.

For example, the banner appears on the **Home** page as follows:

Merchant Home Banner
The banner appears on the **Settings** > **Company** page as follows:

Merchant Company Banner
*To complete a compliance form*:

1. Click the **Attest to Form** button in the banner.

  - The **Settings** > **Company** > **Compliance** tab loads.
2. Click an overdue compliance form to display its details for review.
  - The **Attestation** section provides a link to the **Unsigned PDF**.
3. Click the link to review the unsigned compliance form in the browser or download it.
4. After reviewing the form and confirming all details, click the **Attest to Form** button.

  - An **Attest Compliance Form** modal appears.
5. Enter the requested details and click the **Attest** button.
  - A message stating "Compliance form has been attested successfully" appears.
  - The compliance form status updates to **Completed** on the dashboard.


After a few minutes, refresh the page to access the **Signed PDF** link for viewing or downloading.

### Application / Platform View Dashboard

The Application or Platform dashboard view enables you to view and manage your users' compliance forms. Alternatively, you can complete compliance forms using the [API](#completing-compliance-forms-using-the-api).

A [webhook notification](#1.-webhook-notification) is sent when Finix creates a Compliance Form.

*To complete a compliance form*:

1. From your Finix Dashboard, in the left navigation, expand the **Merchants** menu and click **Compliance**.
  - The **Compliance** page loads.
2. From there, you can view or filter your merchants' compliance forms by **Overdue** or **Incomplete** status.
3. Click a compliance form to view its details.
  - The **Attestation** section provides a link to the unsigned compliance form in PDF format.
4. Click the link to review the unsigned compliance form in the browser or download it.
5. After reviewing and confirming accuracy, click the **Attest to Form** button.

  - An **Attest Compliance Form** modal appears.
6. Enter the requested details and click the **Attest** button.
  - A message stating "Compliance form has been attested successfully" appears.
  - The compliance form status updates to **Completed** on the dashboard.


After a few minutes, refresh the page to access the **Signed PDF** link for viewing or downloading.

## Completing Compliance Forms using the API

The following section describes the process of using the API to complete a PCI Compliance Form. Alternatively, users can review and complete the form using the [Finix dashboard](#merchant-view-dashboard).

### 1. Webhook Notification

A webhook notification is sent when Finix creates a Compliance Form. Take note of the compliance form ID in the webhook payload.

### 2. Retrieve the Unsigned Compliance Form

Using the compliance form ID from the webhook, retrieve the compliance form resource from the [GET /compliance_forms/{compliance_form_id}](/api/compliance-forms/getcomplianceform) endpoint.


```shell
curl -i -X GET \
  -u USfdccsr1Z5iVbXDyYt7hjZZ:313636f3-fac2-45a7-bff7-a334b93e7bda \
  https://finix.sandbox-payments-api.com/compliance_forms/cf_uwErNm23TKYNEiqrEdJK59
```

In the response object, the `files.unsigned_file` property contains the ID of the unsigned compliance form, which can be retrieved and displayed to the user for review. The `state` property indicates the form is `INCOMPLETE`.


```json
{
  "id": "cf_uwErNm23TKYNEiqrEdJK59",
  "created_at": "2025-07-07T18:05:01.96471Z",
  "updated_at": "2025-10-16T22:34:05.217688Z",
  "linked_to": "MUwfZPNW3r4EqLMzwgr6txw4",
  "linked_type": "MERCHANT",
  "application": "APc9vhYcPsRuTSpKD9KpMtPe",
  "type": "PCI_SAQ_A",
  "version": "2018.10",
  "valid_from": "2025-09-09T23:17:43.041004Z",
  "valid_until": "2026-09-09T23:17:43.041005Z",
  "tags": {},
  "pci_saq_a": {
    "name": "John Smith",
    "signed_at": "2022-03-18T16:42:55Z",
    "user_agent": "Mozilla 5.0(Macintosh; IntelMac OS X 10 _14_6)",
    "ip_address": "42.1.1.113",
    "is_accepted": true,
    "title": "CTO"
  },
  "due_at": "2025-10-05T18:05:01.94105Z",
  "compliance_form_template": "cft_n6BfvWBVe4iK1HC4n9qN2t",
  "files": {
    "unsigned_file": "FILE_uyntoF5Y4LDrMDJtA9ujd6", // [!code highlight]
    "signed_file": null
  },
  "state": "INCOMPLETE" // [!code highlight]
}
```

### 3. Obtaining Compliance Consent

Obtain compliance consent as follows:

1. Provide the user with a link to the unsigned compliance form for review.
2. Verify that the user is the authorized representative of the company.
3. Show the user the required text to obtain consent:
> *By submitting this Self-Assessment Questionnaire, I certify that I am an authorized representative of the company and that all the information submitted is true and correct.*
4. The user reviews the unsigned compliance form, submits the self-assessment questionnaire, and attests to its accuracy.


Description of image
### 4. Completing the Compliance Form

Once consent is obtained, send a request to the [PUT /compliance_forms/{compliance_form_id}](/api/compliance-forms/updatecomplianceform) endpoint to complete the compliance form, passing the compliance form ID as a path parameter. Include details about the signee's digital signature in the `pci_saq_a` object.

Example

```shell
curl -i -X PUT \
  -u USfdccsr1Z5iVbXDyYt7hjZZ:313636f3-fac2-45a7-bff7-a334b93e7bda \
  https://finix.sandbox-payments-api.com/compliance_forms/cf_uwErNm23TKYNEiqrEdJK59 \
  -H 'Content-Type: application/json' \
  -d '{
    "pci_saq_a": {
      "ip_address": "42.1.1.113",
      "name": "John Smith",
      "signed_at": "2022-03-18T16:42:55Z",
      "title": "CTO",
      "user_agent": "Mozilla 5.0(Macintosh; IntelMac OS X 10 _14_6)"
    }
  }'
```

API Definition
In the response object, the `files.signed_file` property contains the ID of the signed compliance form available for download. The `state` property indicates the form is `COMPLETED`.

Example

```json
{
  "id": "cf_uwErNm23TKYNEiqrEdJK59",
  "created_at": "2025-07-07T18:05:01.96471Z",
  "updated_at": "2025-10-16T22:34:05.217688Z",
  "linked_to": "MUwfZPNW3r4EqLMzwgr6txw4",
  "linked_type": "MERCHANT",
  "application": "APc9vhYcPsRuTSpKD9KpMtPe",
  "type": "PCI_SAQ_A",
  "version": "2018.10",
  "valid_from": "2025-09-09T23:17:43.041004Z",
  "valid_until": "2026-09-09T23:17:43.041005Z",
  "tags": {},
  "pci_saq_a": {
    "name": "John Smith",
    "signed_at": "2022-03-18T16:42:55Z",
    "user_agent": "Mozilla 5.0(Macintosh; IntelMac OS X 10 _14_6)",
    "ip_address": "42.1.1.113",
    "is_accepted": true,
    "title": "CTO"
  },
  "due_at": "2025-10-05T18:05:01.94105Z",
  "compliance_form_template": "cft_n6BfvWBVe4iK1HC4n9qN2t",
  "files": {
    "unsigned_file": "FILE_uyntoF5Y4LDrMDJtA9ujd6",
    "signed_file": "FILE_6U26h97cpuKmxqdE27KZh7" // [!code highlight]
  },
  "state": "COMPLETED" // [!code highlight]
}
```

API Definition
### 5. Downloading the Signed Compliance Form

With the ID of the signed compliance form specified in `files.signed_file`, download the signed compliance form by retrieving the file resource from the GET `/files/{file_id}` endpoint.


```shell
curl "https://finix.sandbox-payments-api.com/files/FILE_6U26h97cpuKmxqdE27KZh7/download" \
   -H "Finix-Version: 2022-02-01" \
   -u USfdccsr1Z5iVbXDyYt7hjZZ:313636f3-fac2-45a7-bff7-a334b93e7bda
```

The previous API request returns the binary PDF of the signed compliance form. To stream the file in the browser, add the query parameter `?stream=true` to the URL. This instructs the API to stream the file inline so the client, such as a web browser, can render it directly.

To save the file to a local directory, use the `-o` Curl argument (for example, `-o compliance_form.pdf`).

## Avoiding Compliance Overdue Fees

To maintain PCI compliance, users must validate compliance annually by completing the SAQ questionnaire. When the `valid_until` date passes, Finix generates a new unsigned Compliance Form with updated `valid_from` and `valid_until` timestamps.

See our [Avoiding Compliance Overdue Fees](/guides/managing-operations/security-compliance/avoiding-compliance-overdue-fees) guide how how to avoid overdue fees.