Skip to main content

Production Checklist


An interactive guide to help you learn best practices before going to Production with your Basis Theory integration.

The answers are persistent to the browser (local storage), and can be reset by clearing website data. Incognito windows can also be used to start a new questionnaire.


Did you create your account using a work e-mail?
Did you create at least one PROD Tenant?
Do you need to import data into Basis Theory, such as Cards on File from a Payment Processor, external vault or your own database?

PCI Compliance

The questions below are designed to help you understand the potential PCI Compliance impact of your integration. Please note that these are not a substitute for a complete PCI SAQ but can provide valuable insights.

Do you know the level of PCI Compliance your business needs?
Did you complete your PCI DSS SAQ-A with Basis Theory?
Did you include a reference to the data storage at Basis Theory in your user terms of service?

Data Ingress

Are you using Basis Theory Elements for all user-facing cardholder data capture?
Are you using Basis Theory Pre-Configured Proxies for all API-based (webhooks, secure APIs, etc.) cardholder data capture?
Are you using Basis Theory Pre-Configured Proxies or Reactors for all queries to 3rd-parties that can potentially return cardholder data?

Data Processing

Are you using Basis Theory Reactors for processing any plaintext cardholder data?
Are you reading only masked cardholder data from the vault in retrieve/list/search operations?

Data Egress

Are you using Basis Theory Proxies or Reactors to send cardholder data to 3rd parties?
Are you using Basis Theory Elements to display cardholder data to users, with the proper use of Sessions and data retrieval through the Elements context?

Access Controls

Have you disabled Ephemeral Proxies in your Production Tenant(s)?
Do you have large customers or business units that require advanced management or specialized data governance rules?
Are your systems well represented by Basis Theory Applications?
Are you organizing tokens in containers considering your present and near-future needs?
Do your Applications only have the necessary permissions used in Production?
Do you have a strict list of users that can access your Production Tenant(s)?


Are you using Infrastructure-as-Code (IaC) or other form of automation to provision Basis Theory Resources (Applications, Reactors, Proxies, etc.)?
Are you hardcoding or embedding a Public Application Key in your mobile app?
Have you implemented retry logic on most critical workflows?
Are you storing PSP tokens in your own database, next to the Basis Theory Token?
Are you storing PSP tokens in Basis Theory Token metadata?
Are you storing your Basis Theory API Keys in a secret manager or using a specialized tool to manage IaC sensitive outputs?
Do you need to correlate tokenized data? For example: track if the same credit card has been used multiple times by different users.
Do you need to prevent creating duplicate tokens? For example: prevent the same data being tokenized more than once.


Do you conduct Proxy/Reactor code reviews and maintain a rollback plan, following a structured change management process?
Do you version your Proxy/Reactor code to maintain an audit trail of changes to system components?
Do you regularly test your Proxy/Reactor code, following the recommended practices?
Do you regularly run vulnerability scans in your Proxy/Reactor code?