# Compliance & Security Overview We've built Hyp Pay with security and compliance as foundational principles. We help you reduce your compliance burden while ensuring your customers' card data stays safe and sound. ## Our security approach Our security approach is designed to give you peace of mind. By maintaining the highest [industry certifications](/pay/security/certifications.md) and following security best practices, we handle the complex stuff so you can focus on running your business. We protect your data through multiple layers of security across three main areas: * [Data Privacy](/pay/security/data-privacy.md) — How we handle, encrypt, and protect cardholder data. * [Network Security](/pay/security/network-security-at-hyp.md) — Our network architecture, infrastructure protections, and supported cipher suites. * [Payment Page Security](/pay/security/payment-page-security.md) — Browser-level protections and iframe security. These areas work together to ensure your customers' data stays secure at every step. ## Understanding PCI DSS You've probably heard of PCI DSS (Payment Card Industry Data Security Standard). In short, it's a set of security rules that anyone handling credit card data must follow to protect customers and prevent fraud. While these rules are important, they can be incredibly complex and expensive to implement on your own. If you were to handle raw card data yourself, you'd need to go through rigorous audits, maintain highly secure servers, and take on a lot of legal liability if something goes wrong. ### Why outsourcing is better The easiest way to deal with PCI compliance is to outsource the hard parts to us. When you use Hyp Pay, your servers never see, touch, or store a raw credit card number. Instead, the sensitive data goes directly from your customer's browser to our secure servers. By keeping card data off your systems, you're not just making your life easier — you're making your business much safer. Even if your own website were compromised, there would be no credit card numbers for hackers to find. ### Your PCI compliance path: SAQ A Even when you outsource everything, the credit card brands still want to know that you're following basic security best practices. This is where the **Self-Assessment Questionnaire (SAQ)** comes in. Because Hyp Pay is built around hosted payment pages and tokenization, you qualify for the simplest possible compliance level: **SAQ A**. This is a short form that basically confirms you've outsourced your payment processing to a compliant provider like us. Compared to other compliance paths that can involve hundreds of technical requirements, SAQ A is straightforward and focuses mostly on basic security policies and managing your relationship with Hyp. On our end, we offer several integration methods designed to keep your PCI compliance as simple as possible: * **Hyp-hosted payment pages** — Use a redirect or iframe integration to collect payments. This is the most secure and easiest way to get started. * **Tokenization** — Securely store payment methods for future use. You get a "token" (a unique ID) that you can use for future charges, while we keep the actual card data safe. * **Direct APIs** — You can use our APIs for scenarios like subscription payments or recurring charges where you already have a token and don't need the customer to visit a payment page again. ### Your PCI compliance checklist Even with SAQ A, there are a few things you still need to do to keep your business secure and your compliance up to date. Here's a quick checklist of what's expected from you: * **Keep our Attestation of Compliance (AOC) on file** — This is the document that proves Hyp Pay is PCI-compliant. While our basic [PCI certificate](https://hyp.co.il/pci-certificates/) is public, your bank or acquirer may specifically want to see the AOC. If you don't receive this document as part of your [onboarding](/pay/getting-started/prerequisites-and-initial-setup.md) package, you can request the latest version from our support team at any time. * **Maintain basic security policies** — Even if you don't handle card data, you still have a responsibility to keep your own systems secure. This includes things like using strong passwords and keeping your software updated. * **Manage your service providers** — You should maintain a list of all the companies you work with that handle your payments (like Hyp). PCI rules require you to check that these partners are still compliant once a year. * **Complete your annual SAQ A** — You'll typically need to fill out the SAQ A form once a year. It's a simple "yes/no" questionnaire that confirms you're still following these basic security rules. * **Protect your login credentials** — Ensure that access to your Hyp Portal and any other sensitive systems is restricted to only the people who really need it. By following these simple steps, you can stay fully compliant without the stress of managing complex security infrastructure. ### When to use Hyp CreditGuard Hyp Pay is perfect for the vast majority of businesses that want to stay safe and keep things simple. However, if you have complex enterprise requirements that require you to handle raw card data on your own servers (known as SAQ A-EP or SAQ D), then [Hyp CreditGuard](https://developers.hyp.co.il/) is the right choice for you. Hyp CreditGuard is our enterprise-oriented service that supports advanced integration scenarios and a wider range of compliance paths. If you're not sure which one you need, we usually recommend starting with Hyp Pay for its ease of use. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://developers.hyp.co.il/pay/security/compliance-and-security-overview.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.