What PCI DSS covers
PCI DSS is the payment-card security framework that applies to organizations that store, process, or transmit cardholder data, as well as systems that can affect the security of that data. For merchants, the first scope question is usually merchant level. Card brands group merchants into four levels based mainly on annual transaction volume and risk profile. The exact thresholds can vary by brand and acquirer, but the operating logic is stable: higher-volume merchants face more formal validation, while smaller merchants often complete self-assessment with supporting evidence.
The standard itself is organized around 12 core requirements, covering topics such as network security, secure configuration, access control, logging, vulnerability management, testing, and governance. Those requirements matter because PCI DSS is not only about the payment form. It also cares about every connected system that can expose or influence cardholder data. That is why scope control matters so much. If a tracking vendor never touches CHD, it should not be pulled into the card-data environment by accident.
Validation also depends on the right SAQ type. SAQ-A is usually the narrowest merchant path and is meant for ecommerce businesses that fully outsource card-data capture to PCI DSS compliant third parties. Other SAQ variants apply when merchants host payment pages, embed different payment elements, or otherwise handle more of the payment flow directly. The practical test is simple: if your site, backend, or vendors can see CHD, your SAQ obligations move beyond the narrowest model.
TrackLayer scope
TrackLayer is built for an SAQ-A style deployment boundary. We do not store, process, or transmit CHD, meaning cardholder data such as PAN, expiry date, CVV, or cardholder name tied to the payment instrument should never enter TrackLayer in the first place. Our role is to receive business events after the payment processor has already handled the payment interaction.
In the standard setup, your payment processor owns the payment fields, tokenization, authorization, capture, and card network communication. TrackLayer receives the commercial result: successful checkout, order amount, currency, order reference, customer linkage, consent state, and destination routing logic. That design keeps payment collection with the processor and keeps TrackLayer focused on attribution, analytics, and auditability.
That separation does not remove your merchant responsibility. You still need to confirm the real implementation matches the intended architecture. If custom code, support workflows, logs, or transformations start copying payment fields into TrackLayer or neighboring systems, scope changes. The right compliance stance is not “TrackLayer is safe by default, so nothing else matters.” It is “TrackLayer stays out of scope when the merchant preserves the clean boundary.”
What TrackLayer stores vs what TrackLayer will NEVER store
| What TrackLayer stores | What TrackLayer will NEVER store |
|---|---|
| Canonical event names such as `order.completed`, `checkout.started`, or `refund.issued`. | Primary account number, truncated PAN beyond what your processor explicitly exposes, or any full card number representation. |
| Order-level business fields like `order_id`, value, currency, coupon, tax, shipping, channel, and attribution metadata. | CVV, CVC, security code, PIN blocks, magnetic stripe data, EMV track data, or equivalent sensitive authentication data. |
| First-party identifiers used for matching or analytics, such as hashed email, internal customer ID, click IDs, consent state, and device context. | BIN, issuer identification details copied from payment flows, cardholder name extracted from processor payloads, or raw payment instrument fingerprints intended for fraud tooling. |
| Webhook metadata, delivery logs, audit history, retry state, and destination routing outcomes for operational traceability. | Unredacted processor payloads containing CHD or any free-text field where support agents pasted payment details. |
Common confusion
Teams often mix privacy vocabulary with PCI vocabulary. A hashed email is not cardholder data under PCI DSS. By itself, it does not represent a payment credential and does not create card-data scope for TrackLayer. That matters because many attribution setups rely on hashed email for matching, and merchants sometimes assume any sensitive-looking identifier is automatically a PCI artifact.
The important distinction is that something can be outside PCI card-data scope and still remain regulated under privacy law. Hashed email can still be personal data under GDPR when it can be linked to a person or used for profiling or advertising measurement. So the correct compliance posture is split-brain on purpose: PCI asks whether payment credentials are present, while GDPR asks whether personal data is present and processed lawfully.
If you pass payment events
The recommended pattern is to send business outcomes, not payment instrument details. For a completed purchase, TrackLayer should receive a canonical event such as `order.completed` with fields like `value`, `currency`, `order_id`, customer identifier, and optional product or subscription context. That gives marketing, analytics, and finance teams the signal they need without dragging card data into the tracking layer.
What should not be sent is just as important. Do not include card number, BIN, issuer details, cardholder name, last four copied from the processor unless explicitly justified elsewhere, or raw payment method payloads. The tracking contract should describe the commercial event, not the mechanics of how the processor funded it.
Recommended
event: order.completed
value: 129.00
currency: EUR
order_id: ord_2026_0418_9842
Avoid
card_number
bin
cardholder_name
expiry_date
cvvIntegration with payment processors
The cleanest PCI posture comes from using payment processors that already isolate credential capture and then emitting post-payment webhooks into TrackLayer. In that model, TrackLayer becomes the consumer of payment outcomes, not the collector of payment data. This is the normal path for Stripe, Adyen, Checkout.com, and Braintree integrations.
Stripe
Stripe Checkout, Elements, and Payment Links keep collection inside Stripe-hosted or Stripe-rendered payment components. The webhook events merchants typically forward into TrackLayer contain payment outcomes, amounts, customer references, and object IDs, not CHD.
Adyen
Adyen Web Components and hosted payment pages are built so payment credentials go directly to Adyen. Standard event notifications expose transaction status, merchant references, value, and risk outcomes without exposing raw card data to TrackLayer.
Checkout.com
Checkout.com payment sessions and webhooks usually provide authorization, capture, refund, and dispute lifecycle signals. Those events are useful for attribution and revenue reporting while the card details remain in the processor domain by default.
Braintree
Braintree Hosted Fields and Drop-in UI keep payment data collection under Braintree's control. TrackLayer only needs the commercial result: order reference, success state, amount, currency, customer linkage, and downstream event timing.
By default, none of these integrations need to expose CHD to TrackLayer. The risk shows up only when merchants add custom webhook transformations, verbose debugging, or warehouse syncs that preserve processor payloads more broadly than needed. The safe operating rule is to normalize events at the edge and drop any payment fields that are not required for analytics or audit.
Compliance audit trail
Annual PCI assessment is easier when your event pipeline leaves a defensible trail. TrackLayer audit logs record who configured a destination, when webhook endpoints were added or changed, which event mappings were deployed, whether deliveries succeeded, and how retries or suppressions were handled. That does not replace your formal PCI evidence set, but it gives merchants concrete operational proof that the tracking layer was managed in a controlled way.
In practice, those logs help with assessor questions such as: when did the processor integration change, who approved the payload contract, when was a risky field removed, and how can the team show that only approved business events were forwarded? A clean audit log also helps security and privacy teams align their narratives. The same event history that supports PCI scoping can support incident review, GDPR accountability, and vendor-change governance.
The strongest merchant workflow is to pair TrackLayer audit records with architecture diagrams, webhook schemas, processor documentation, and a short written data-flow statement saying that CHD is collected only by the payment processor. Assessors do not want theory alone. They want evidence that the implemented system still matches the declared scope.
Common questions
Is TrackLayer itself PCI certified as a payment processor?
No. TrackLayer is not a payment processor and should not be used as one. The intended model is that Stripe, Adyen, Checkout.com, Braintree, or another PCI-enabled processor handles cardholder data while TrackLayer receives only non-CHD business events.
Why do you describe TrackLayer as SAQ-A compliant?
Because the product is designed for a merchant flow where cardholder data collection is outsourced to a PCI DSS compliant payment provider and never enters TrackLayer systems. In that model, TrackLayer supports an SAQ-A style boundary rather than increasing payment data scope.
Is hashed email considered cardholder data under PCI DSS?
No. A hashed email address is not cardholder data by itself. It can still be personal data under GDPR or other privacy regimes, so it should be handled with privacy controls, but it does not move TrackLayer into PCI card-data scope.
Can I forward processor webhooks directly to TrackLayer?
Yes, provided the webhook schema is reviewed and does not include CHD. The recommended pattern is to map the webhook into a clean business event contract before or at ingestion so only order, subscription, refund, and attribution fields are retained.
What creates PCI scope problems most often?
The common failure is not the official processor integration. It is custom code or manual support workflows that copy card details into notes, analytics payloads, logs, error trackers, data warehouses, or webhook relays that were never meant to hold CHD.
Related compliance and implementation guides
GDPR compliance
Understand how privacy obligations differ from PCI scope and where hashed identifiers still count as personal data.
Read guide →Server-side tracking
See how TrackLayer ingests browser, backend, and webhook events without turning the tracking pipeline into a payments system.
Read guide →Stripe webhook bridge
Review a practical pattern for turning Stripe lifecycle webhooks into clean server-side conversion events.
Read guide →