> For the complete documentation index, see [llms.txt](https://plexo.gitbook.io/rest-api/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://plexo.gitbook.io/rest-api/core-concepts/security.md).

# Security & PCI Compliance

*Brief explanation: Security measures and PCI DSS compliance requirements for protecting payment data in Plexo.*

## Security Overview

Plexo implements multiple layers of security:

* **Transport Security**: TLS 1.2+ encryption for all API communications
* **Data Security**: Tokenization and encryption at rest
* **Authentication**: API key-based authentication
* **PCI Compliance**: Level 1 PCI DSS certified service provider
* **Fraud Prevention**: 3D Secure authentication and monitoring

## PCI DSS Compliance

PCI DSS (Payment Card Industry Data Security Standard) protects cardholder data. Plexo is a **Level 1 PCI DSS Certified Service Provider**, meeting the highest security standards.

### How Plexo Reduces Your PCI Scope

**Using Hosted Checkout (Recommended):**

* Card data never touches your servers
* Plexo handles all card data securely
* Minimal compliance requirements (SAQ A)
* Faster, simpler compliance validation

**Using Direct API (PCI Certified Clients Only):**

* Card data transmitted directly to Plexo
* Requires PCI certification
* More compliance requirements (SAQ A-EP or D)

{% hint style="success" %}
**Best Practice**: Use Plexo's Hosted Checkout redirect to minimize PCI compliance scope and avoid handling raw card data.
{% endhint %}

## Data Protection

### Tokenization

Card data is tokenized and stored in an isolated vault:

* **Non-reversible** - Cannot derive card number from token
* **Client-scoped** - Tokens only work for the client that created them
* **Encrypted** - Encryption at rest
* See [Tokenization](/rest-api/core-concepts/tokenization.md) for details

## Fraud Prevention

### 3D Secure (3DS)

Authenticates cardholder identity and shifts liability to issuer:

* Recommended for transactions above risk thresholds
* See [3DS Authentication](/rest-api/core-concepts/3ds-authentication.md)

### Card Verification (CVV)

Use `cvc` inside the card payment method for card-not-present transactions:

```json
{
  "paymentMethod": {
    "source": "card",
    "card": {
      "cvc": "123"
    }
  }
}
```

**Exceptions:**

* Recurring payments (subscriptions, scheduled charges)
* Merchants with special processor/acquirer agreements

## Callback Security

If your integration receives callbacks, prefer these protections:

* Use HTTPS-only endpoints
* Return `2xx` quickly and process asynchronously
* Re-fetch the payment or session from the API when you need the canonical final state
* Keep callback URLs private to your systems

## Security Checklist

**Required:**

* ✅ Use HTTPS for all API requests
* ✅ Validate SSL certificates
* ✅ Store API keys in environment variables
* ✅ Never log sensitive data (PAN, CVV, API keys)
* ✅ Use hosted checkout to reduce PCI scope
* ✅ Protect callback endpoints and confirm final state through the API

**Recommended:**

* ✅ Enable 3DS for high-value transactions
* ✅ Request CVV for all card-not-present payments
* ✅ Rotate API keys every 90 days
* ✅ Implement rate limiting
* ✅ Monitor transaction patterns

## Reporting Security Issues

If you discover a security vulnerability, email: **<soporte@plexo.com.uy>**

Do not disclose publicly. Include description, steps to reproduce, and potential impact.

## Related Resources

* [3DS Authentication](/rest-api/core-concepts/3ds-authentication.md)
* [Tokenization](/rest-api/core-concepts/tokenization.md)
* [API Authentication](/rest-api/getting-started/authentication.md)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://plexo.gitbook.io/rest-api/core-concepts/security.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.