Required Documents
In order to perform a successful merchant registration, certain documents are required for the Merchant, Shop, Related Company and/or Related Person resources - depending on the Customer Due Diligence Level (Simplified, Standard, Enhanced).
The mandatory documents have to be uploaded using the POST /documents API request - one by one after the merchant was successfully posted via POST /merchants (merchant state should be PendingOnDocuments so that documents can be uploaded).
List of required documents
To receive a list of required/mandatory documents for a specific merchant the
GET /entity-required-documentsresource should be used.
The response will contain information which document is required for each entity (Merchant,Shop,Related Companyand/orRelated Person).
Also a status is returned that indicates if a required document was already uploaded:
- missing: document was not yet uploaded
- assigned: document was already uploaded and assgned to the merchant/shop/company/person
Once all mandatory documents were uploaded, the PXP Financial Onboarding System will move the merchant state from PendingOnDocuments to the next state (see Onboarding Flow) and continue the onboarding process.
Document size and and allowed file types
The maximum messages size for
POST /documentsafter encoding is limited to 15MB (which means that documents up to approx. 11MB can be uploaded).
The allowed file types are: pdf, .jpeg, .png
Payment Facilitators
For Payment Facilitators the documents PXP Financial requires will depend on the specific distribution of responsibilities between the partner and PXP Financial. This will be defined as part of the setup process.
List of documents
The following table lists all possible document types PXP Financial currently accepts.
The Document Type is the value that will be sent and received in the POST /documents and GET /documents operations as the type attribute/property.
| Document Type | Associated Entity | Description |
|---|---|---|
CertificationOfIncorporation | Merchant or RelatedCompany | An official document of incorporation; proof of registration as sole trader. |
ArticlesOfAssociation | Merchant or RelatedCompany | A document that is required for incorporation in some countries. It contains a description of the business model of the company. |
BankStatement | Merchant | Copy of the bank statement/screenshot of online banking tool showing at least bank account number and owner. |
BankReferenceLetter | Merchant | A document that should contain an official bank letter for every bank account submitted as part of the application. Please aggregate all bank letters into one document (PDF). |
AddressProofForMerchantLocation | Merchant | A copy of a recent utility bill (no older than 3 months) or rent agreement associated with the address stated asincorporationAddress in the POST /merchants call. |
CardProcessingHistory6Months | Merchant | A document that contains a record of the merchant’s processing history for card payments. Please pass this data in one document (CSV or Excel). |
ProofOfDomainOwnership | Merchant | If the merchant is processing ecom payments, PXP Financial requires a document that contains proof that the merchant holds ownership of the URLs associated with each shop. This data should be aggregated and sent in one document. If the merchant is accepting card-present payments, this document should contain proof of ownership of the URL of the corporate website. If the merchant does not operate any website (e.g. sole traders) then no such document is needed. |
BusinessLicenseOrAuthorization | Merchant | For some MCCs and countries, special licenses are required by the local regulator. Examples of this would be 7995 (Gaming), 5912 (Drug Stores and Pharmacies) or 6211 (Binary/Forex). If the merchant is operating such a business in any country that requires a license, please send a document that aggregates all of this information in one file (PDF). |
LegalOpinions | Merchant | Where applicable, legal opinions issued to the merchant confirming the legality of products or services provided, shipping, import/export etc (Forex/Trading/CFD merchants; Crypro exchanges; Pharmacies; CBD etc) |
Organogram | Merchant | A document that discloses the corporate structure of ownership. |
AnnualReport | Merchant or RelatedCompany | A report on business performance. |
CompanyAMLPolicyAndGuidelines | Merchant | A document describing the AML policy and guidelines of the merchant. |
ChargebackAndFraudPolicyAndProcedures | Merchant | A document that describes the chargeback and fraud prevention policy and guidelines of the merchant. |
PassportOrGovernmentID | RelatedPerson | A scanned passport or other form of official identification related to a person. Only relevant for a related person that has a role of Owner, Shareholder, DirectorOrExecutive or UltimateBeneficiary. |
PersonalUtilityBill | RelatedPerson | A utility bill, no older than 3 months, associated with a person holding either of the following roles: Owner, Shareholder, DirectorOrExecutive or UltimateBeneficiary. |
ProofOfAuthorisedSignatory | RelatedPerson | A proof that a person is the authorised signatory of the merchant. Only relevant for a related person who is the Signatory but is not an Owner or DirectorOrExecutive at the same time. |
TaxFilings | Merchant | If applicable, a record of the last tax filing. |
PCIReportOnCompliance | Merchant | A copy of the latest PCI ROC (Report On Compliance). Please refer to PCI Documents to see for which merchants this becomes relevant. |
PCISelfAssessmentQuestionnaire | Merchant | A document every merchant processing card volumes is required to fill out. As a PCI regulated entity, PXP Financial is required to hold this on record for every merchant processing through PXP Financial. Please refer to PCI Documents to see if the merchant needs to submit the questionnaire or needs to submit a copy of the PCI certification (PCIReportOnCompliance). |
PCIQuarterlyASVReport | Merchant | The result of the quarterly ASV (Approved Service Vendor) check of Shop URLs. For a new merchant application, please submit the most recent report. |
ExternalRiskChecksResult | Merchant | If applicable, the collected results of externally processed merchant risk or underwriting checks. |
ExternalCompanyRiskChecksResult | Merchant | If applicable, the collected results of externally processed business verification checks (KYB checks). |
ExternalCustomerRiskChecksResult | Merchant | If applicable, the collected results of externally processed customer identity checks (KYC checks). |
Contract | Merchant | The signed contract with the merchant. |
Required documents for a Merchant
The above documents are mandatory depending on the Customer Due Diligence Level (SoleTrader, Standard) as described in Overview but also on the data which was transmitted in the POST /merchants request.
The following table lists all document types and the information if they are mandatory, optional or conditionally mandatory for each CDD-Level:
| DocumentType | SoleTrader | Standard |
|---|---|---|
CertificationOfIncorporation | Mandatory | Mandatory |
ArticlesOfAssociation | n/a | Mandatory |
BankStatement | Mandatory | Mandatory |
BankReferenceLetter | n/a | n/a |
AddressProofForMerchantLocation | Mandatory | Mandatory |
CardProcessingHistory6Months | Yes, if isStartUp set to false and if fraudRatiosForThePastMonths or chargebackCountRatiosForThePastMonths is above 0,5% in any month. | Yes, if isStartUp set to false |
ProofOfDomainOwnership | Mandatory if domainOwnership = Own | Mandatory if domainOwnership = Own |
BusinessLicenseOrAuthorization | Mandatory if MCC is 7995, 6012, 6051, 6211, 5912 | Mandatory if MCC is 7995, 6012, 6051, 6211, 5912 |
LegalOpinions | Mandatory if applicable | Mandatory if applicable |
Organogram | n/a | Mandatory |
AnnualReport | n/a | n/a |
TaxFilings | n/a | n/a |
ChargebackAndFraudPolicyAndProcedures | Mandatory if isChargebackOrFraudAnalysisProcessInPlace was answered with "true". | Mandatory if isChargebackOrFraudAnalysisProcessInPlace was answered with "true". |
CompanyAMLPolicyAndGuidelines | Mandatory if isRegulatedByAMLGuideline was answered with "true". | Mandatory if isRegulatedByAMLGuideline was answered with "true". |
PCIReportOnCompliance | Mandatory for PCI Level 1. See PCI Documents. | Mandatory for PCI Level 1. See PCI Documents. |
PCISelfAssessmentQuestionnaire | Mandatory for PCI Level 2-4. See PCI Documents. | Mandatory for PCI Level 2-4. See PCI Documents. |
PCIQuarterlyASVReport | Mandatory for PCI Level 2-4. For a new merchant, the most recent report has to be provided. See PCI Documents. | Mandatory for PCI Level 2-4. For a new merchant, the most recent report has to be provided. See PCI Documents. |
Required documents for a Related Company
For each related company provided in the relatedCompanies list, the following documents are mandatory in addition:
| DocumentType | Soletrader | Standard |
|---|---|---|
CertificationOfIncorporation | not applicable (a sole trader must not have any related companies) | Mandatory |
ArticlesOfAssociation | not applicable (a sole trader must not have any related companies) | Mandatory |
Required documents for a Related Person
For a person listed in the relatedPerson list, the following documents are mandatory in addition:
| DocumentType | Any CDD-Level |
|---|---|
PassportOrGovernmentID | Mandatory if the persons role is Owner, Shareholder, DirectorOrExecutive or UltimateBeneficiary |
PersonalUtilityBill | Mandatory if the persons role is Owner, Shareholder, DirectorOrExecutive or UltimateBeneficiary |
ProofOfAuthorisedSignatory | Mandatory if the person is the authorised Signatory of the merchant (has role Signatory assigned) and is NOT Owner or DirectorOrExecutive at the same time |
PCI documents
The following table shows which PCI related documents have to be submitted for a merchant.
ROC: Report on Compliance
SAQ: Self Assessment Questionnaire
| PCI Level | # of Visa & MC transactions combined | Required Documents |
|---|---|---|
| 1 | more than 6 Million | ROC, using PCIReportOnCompliance document type |
| 2-4 | 2: 1-6 Million 3: 200.000- 1 Million 4: less than 200.000 | Using PCISelfAssessmentQuestionnaire document type:Redirect or Iframe: SAQ A Direct POST or Javascript: SAQ A-EP XML or Other: SAQ D |
PCI Level 1
Merchants processing a combined scheme volume (this includes all transactions of all schemes participating in the PCI compliance standard - JCB, CUP, Amex and Discover) of over 6 million transactions need to provide a document on PCI compliance (ROC, transmitted using the PCIReportOnCompliance document type). These merchants need to be audited and re-certified on a yearly basis.
PCI Level 2-4
The SAQ is a standardized questionnaire that does not require an audit.
The different levels of SAQ stated in the table above refer to different questionnaires the merchant needs to fill out. This depends on the way the merchant captures card data from their customers.
- Redirect or IFrame: The merchant only redirects the customer to a PCI certified processor. The merchant system does not come into direct contact with the card data.
- Direct POST or Javascript: The merchant website/UI directly captures the card data, but posts it to an external processor using client-side technologies. The merchant backend does not receive card data, only the website/UI does.
- XML or Other: For merchants that do not meet the reduced requirements for SAQ-A and SAQ-EP, the most comprehensive questionnaire (SAQ-D) needs to be filled and submitted to PXP Financial.
Quarterly ASV report (PCIQuarterlyASVReport)
Please note that merchants categorized as PCI Level 2-4, while not requiring a yearly PCI audit, are still subject to a quarterly security scan of any website accepting card payments.
Such a scan is usually done by PCI-approved external vendors that provide this as a service. Such vendors are referred to as 'Approved Scanning Vendor' - ASV in short.The result of the quarterly scan is usually referred to as 'ASV scan report'.
While PCI compliance requires that all merchants are obliged to perform these scans, PXP Financial currently requires this to be submitted for all category 2 and 3 merchants.Updated ASV scan reports should be submitted to PXP Financial every 3 months using document type
PCIQuarterlyASVReport.
Updated about 5 years ago