Hosted payment fields that keep you on SAQ A
Capture cards in secure fields that send data straight to our European PCI DSS Level 1 vault. Your servers never see a card number, you stay on SAQ A — and the fields stay on your brand and domain.
What are hosted payment fields?
Hosted fields are card input fields served from our PCI-compliant environment and embedded in your page as secure iframes. The shopper types their card into fields you don't control, so the data goes straight to the vault and comes back as a token — the card number never touches your servers.
Stay on SAQ A
Card data never reaches your systems, so most merchants qualify for the shortest PCI questionnaire.
No PAN on your servers
You receive a token, not a card number — removing the biggest source of breach risk and audit scope.
On-brand checkout
Fully customizable styling keeps the fields on your design, your brand and your domain — no redirect.
Web & mobile
Responsive fields for web checkouts, plus mobile SDKs for the same secure capture in native apps.
Tokens you can reuse
Captured cards become tokens for one-click checkout, recurring billing and card-on-file payments.
European custody
Captured cards are vaulted only in EU data centres under PCI DSS Level 1.
Hosted fields vs the alternatives
| Approach | PCI scope | On-brand | Card on your servers |
|---|---|---|---|
| Raw card form | SAQ D | Yes | Yes (risky) |
| Full redirect | SAQ A | Off-site | No |
| Hosted fields | SAQ A | Yes | No |
Hosted fields give you the SAQ A scope reduction of a redirect, with the on-brand experience of your own form.
From keystroke to token
Embed the fields
Drop our hosted fields into your checkout and style them to match your design.
Shopper enters the card
The card is typed into fields served by us, so the data goes straight to the vault, never your servers.
Receive a token
The vault returns a token that represents the card — safe to store and reuse in your systems.
Charge & reuse
Process the token through our acquiring engine or your PSP, and reuse it for repeat and recurring payments.
Hosted payment fields, answered
01 What are hosted payment fields?
Hosted payment fields are card input fields served from a PCI-compliant provider and embedded in your page, usually as secure iframes. The shopper types their card into fields you don't control, so the data goes straight to the vault and is replaced by a token — the card number never touches your servers.
02 How do hosted fields keep me on SAQ A?
Because the card data is captured by the provider's fields and never reaches your systems, your cardholder data environment shrinks dramatically. For most merchants this qualifies them for SAQ A, the shortest PCI questionnaire.
03 Can I style hosted fields to match my checkout?
Yes. PCI Proxy hosted fields are fully customizable, so they blend into your checkout and keep customers on your brand and domain — no jarring redirect to a third-party page.
04 Do hosted fields work on mobile and in apps?
Yes. Hosted fields work in responsive web checkouts, and our mobile SDKs provide the same secure, tokenized capture inside native iOS and Android apps.
On-brand capture, SAQ A scope
Tell us about your checkout and we'll show how hosted fields keep card data off your servers and on SAQ A.