PCI Engagement Notification
Overview
The CCG widget is designed to handle sensitive payment data in compliance with PCI DSS standards. This page covers the PCI Engagement Notification system and how to monitor when sensitive data collection screens (PCI flows) are active in your integration.
PCI Engagement Notification
The PCI Engagement Notification system sends alerts when a user or agent enters or exits a PCI data collection screen. This allows your application to be aware of when sensitive payment information is being handled.
A PCI Flow is any UI screen designed to collect sensitive payment details, such as credit card or bank account information. When a user interacts with these forms, the widget triggers an event so your integration can respond appropriately.
Supported Experiences
- Embedded experience (CDN, NPM starting v2.41.0)
- Hosted experience
Usage
Embedded Experience
Pass a callback to the onEvent handler during widget initialization. The callback is invoked with a SESSION_CONTEXT_UPDATED event when PCI status changes.
For full onEvent payload details, see the Embedded Experience — onEvent section.
Hosted Experience
Poll the GET /sessions/{sessionId} endpoint periodically. The response contains the sessionContext object — inspect pci.active to determine if the user is on a sensitive payment form.
Interpreting the PCI Status
Regardless of integration type, the PCI status is communicated via the same sessionContext shape:
| Property | Value | Meaning |
|---|---|---|
sessionContext.pci.active | true | User has entered a PCI flow |
sessionContext.pci.active | false | User has exited a PCI flow |
In Embedded integrations, treat session completion (onSuccess / onError) as the point when PCI is no longer active — the user has already exited all PCI-sensitive forms.
Event Payloads
PCI Flow Entry
Triggered when a user navigates to a card or bank account input screen.
{
"title": "SESSION_CONTEXT_UPDATED",
"data": {
"sessionContext": {
"pci": {
"active": true
}
}
}
}
PCI Flow Exit
Triggered when the user navigates away from the card or bank account input screen.
{
"title": "SESSION_CONTEXT_UPDATED",
"data": {
"sessionContext": {
"pci": {
"active": false
}
}
}
}
Things to Keep in Mind
- Compatible with all supported payment methods (card, bank account)
- In Hosted integrations, you must poll the session endpoint — the
onEventcallback is not available - PCI status changes are only communicated via
SESSION_CONTEXT_UPDATEDin Embedded