All payment-related data handled within the integration must be protected against unauthorized access, exposure, and misuse. This includes data in transit, at rest, and during processing.

SPG provides mechanisms such as hosted payment flows and tokenization to minimize the exposure of sensitive data. The Merchant must use these mechanisms appropriately and enforce strict data handling controls across all systems.

Sensitive Data Handling

Sensitive payment data must be strictly controlled and minimized.

• Cardholder data (e.g., PAN, CVV) must:
  • Never be stored in Merchant systems
  • Never be logged or exposed in application logs
  • Only be handled through secure SPG mechanisms (e.g., hosted payment flows where data is captured directly by SPG)
• Sensitive fields must not be:
  • Returned to client applications
  • Included in error messages
  • Stored in intermediate systems

Where direct handling is required (e.g., server-to-server integrations), additional security controls must be applied to ensure compliance and protection.

Using hosted payment flows significantly reduces exposure by ensuring that payment details are processed directly by SPG.

Tokenization and Data Minimization

SPG supports tokenization, allowing the Merchant to operate on non-sensitive identifiers instead of raw payment data.

• Tokens must be used whenever possible for:
  • Recurring payments
  • Merchant-initiated transactions (MIT)
  • Subsequent operations on previously authorized payment methods
• Tokens:
  • Represent sensitive data without exposing the underlying payment information
  • Must be treated as sensitive identifiers
  • Must be securely stored and access-controlled

Token-based flows reduce the need to handle raw payment data and significantly lower the risk of data exposure.

Data Exposure in Logs and Monitoring

Operational systems must ensure that sensitive data is not exposed through logs, monitoring tools, or debugging mechanisms.

• Logs must:
  • Mask or exclude sensitive fields
  • Avoid storing full request/response payloads when unnecessary
• Monitoring systems must not expose:
  • Payment details
  • Authentication credentials
  • Token values in clear text

Debugging practices must be adapted to ensure that sensitive data is never inadvertently captured or persisted.

Where full payload inspection is required for troubleshooting, controlled and sanitized approaches must be used to avoid exposing sensitive data.

For more information check F.5 Logging and Monitoring Best Practices

Data Handling Across Integration Flows

Different integration models introduce different levels of data exposure, depending on where payment data is collected and processed.

• Hosted payment flows:
  • Minimize data exposure by delegating sensitive data handling to SPG
• Server-to-server integrations:
  • Require stricter controls, as more data may transit through Merchant systems

Regardless of the integration model:

• Data must only be collected when strictly necessary
• Data must not be reused outside its intended purpose
• Systems must enforce strict separation between payment data and business data

Improper handling of data across flows may lead to increased attack surface and compliance risks.

For more information check B.4 Integration Models – Comparison and Criteria to Choose.

Security Enforcement

Data protection must be enforced consistently across all systems interacting with SPG.

The Merchant system must ensure that:

• Sensitive data is never stored, logged, or exposed unnecessarily
• Tokenization is used wherever applicable to reduce exposure
• Logs and monitoring systems do not leak confidential information
• Data access is strictly restricted to authorized components and contexts
• Data is handled only for its intended purpose and lifecycle

Failure to enforce proper data protection controls may result in unauthorized data access, regulatory exposure, and compromise of payment information.