SAQ-A is the PCI Self-Assessment Questionnaire for merchants whose cardholder data functions are fully outsourced to validated third parties and who never store, process, or transmit PAN on their systems. It is the lightest recurring compliance burden, and the one most e-commerce teams target for checkout flows.
Eligibility is strict. If your JavaScript reads PAN from the DOM, if PAN hits your backend “just for logging,” or if you proxy card data through your servers, you are not SAQ-A. Hosted fields and redirect checkout models exist to keep the browser-to-vault channel direct.
SAQ-A does not eliminate security work. You still protect checkout pages from skimming, manage API keys, patch servers, and govern access to token APIs that move money even without PAN. It shrinks PCI scope; it does not remove operational security.
Veliro Secure Fields render PCI-compliant hosted inputs and send encrypted card payloads (JWE) straight to api.veliro.com. Merchants integrate with publishable keys in the browser and server-side keys for token operations, preserving SAQ-A posture while owning network tokens under their TRID.
Mobile WebViews and hybrid apps must load Secure Fields from approved origins in your dashboard; misconfigured origin allowlists are a common reason teams accidentally route card data through their own bridge and fall out of SAQ-A.