Eway Security Compliance


Security compliance matters to your customers, and it will certainly matter to your business.

By partnering with Eway, you are outsourcing your payments to a partner with the highest level of PCI-DSS, with the same levels of data security as the largest banks in the world.

The Merchant Trust Initiative

The frequency and sophistication of cybersecurity attacks on businesses like yours are increasing each year. Small to medium businesses are the most vulnerable to attacks and are usually the least equipped to deal with them, threatening their very survival.

To improve cybersecurity measures we have launched the Merchant Trust Initiative.

PCI DSS Self-Assessment Questionnaires (SAQs)

What are PCI DSS SAQS?

The PCI DSS Self-Assessment Questionnaires (SAQs) are validation tools intended to assist merchants and service providers in self-evaluating their compliance with the PCI DSS (Payment Card Industry Data Security Standards). There are multiple versions of the PCI DSS SAQs to meet various scenarios.

Do I need them?

All payment gateways and merchant banks are required to have their merchants complete at least one of the SAQ forms, listed to below.

Which ones?

As a merchant who is accepting card transactions, your bank or payment acquirer will require you to complete the correct PCI DSS SAQ for the API type that you are integrating with.

This list below of Eway’s APIs and the relevant SAQ are the ones that you must complete. Please note that this only applies when you are accepting your customer’s card information. Subsequent recurring or token transactions processed without requiring the customer to enter their card number are not included in your compliance.

How to quickly & easily become PCI Compliant

The easiest and fastest way to become closer to compliance is to use Eway’s solutions as we’re Level 1 PCI DSS Compliant. You can integrate to hosted solutions (such as Xero or Shopify), or in just a few simple steps integrate to Eway’s iFrame solution.

To understand how you can fulfill your obligations as a merchant to becoming compliant, as a part of the Merchant Trust Initiative, you have access to Trustwave TrustKeeper. This is a tool that simplifies the process for you to meet the obligations of PCI DSS compliance. Through the portal, you also have access to numerous other tools and resources, providing you with information on cybersecurity and data protection to help you minimise your risks.

PCI DSS SAQ Forms Required

Eway Rapid APIs

  • Responsive Shared Page – SAQ A (14 requirements)
  • Rapid iFrame – SAQ A (14 requirements)
  • Transparent Redirect – SAQ A – EP (140 requirements)
  • Client Side Encryption – SAQ A – EP (140 requirements)
  • Direct Payments – SAQ D (326 requirements)
  • MOTO within MYeWAY – SAQ C – VT (73 requirements)
  • PayNow Button – SAQ A (14 requirements)
  • Secure Fields – SAQ A (14 requirements)
  • Secure Panel – SAQ A (14 requirements)


Legacy APIs

  • Direct XML – SAQ D (326 requirements)
  • Direct XML Stored – SAQ D (326 requirements)
  • Direct PreAuth XML – SAQ D (326 requirements)
  • Shared Payments – SAQ A (14 requirements)
  • Managed Payments Token Web Service – SAQ D (326 requirements)
  • Rebill XML API – SAQ D (326 requirements)
  • Rebill Web Service – SAQ D (326 requirements)

Seem confusing? That’s OK, Eway has the team available to help you every step of the way. ​



This SAQ applies to merchants who have fully outsourced their website or card payment forms to a third party provider. In the case of a compliant SaaS application such as Xero or Shopify you will be required to provide your bank with their PCI compliance certificate.

Outsourcing your payment form to Eway includes using our Rapid Responsive Shared Page, Rapid iFrame or Rapid Pay Now button.

This is the shortest possible questionnaire that you can complete and is the preferred solution for merchant banks.

View SAQ A (PDF)


This SAQ applies to merchants who are hosting the card payment form, however the form sends card information directly to Eway from the customer’s browser. This ensures that whilst the server controls the payment form, it never receives the card information and is therefore not at risk of storing card data.

The requirements in this form will require you to have an above-average hosting environment including advanced firewall configurations, segregation of server tasks (separate web/database/dns servers and appropriate security/access controls) and many other documented procedures and security policies.



This SAQ applies to merchants who’s servers are processing, transmitting or storing card information obtained in their payment forms. Any “direct” APIs where the server connects to eWAY to process transactions will be included in this SAQ form.

As the SAQ D is for all merchants not falling in to another SAQ category, in addition to the requirements for the SAQ A – EP, the SAQ D covers all possible ways in which card data could be processed, transmitted or stored. Due to the scope of the SAQ D it is strongly recommended that merchants consider their business case for using a Direct API and the possibility of implementing an API that allows completion of either the SAQ A or SAQ A – EP.

View SAQ D (PDF)


This SAQ applies to merchants who are only using a gateway provided virtual terminal.

As the SAQ C – VT is for merchants who are physically handling card information there are a higher number of requirements. You should speak directly with your merchant bank about best practises for handling of card information with virtual terminal use.

View SAQ C (PDF)