Merchant PCI Compliance Guidance
What is PCI DSS?
PCI DSS (Payment Card Industry Data Security Standards) is a set of security standards that any entity handling, transmitting, or storing card details must follow in order to protect consumer card information. Compliance involves various security measures like encryption, regular system audits, and secure network practices to maintain the security and integrity of payment card information.
Do Merchants using Rainforest need to be PCI compliant?
Rainforest, our Platform customers, and their Merchants all have roles to play in PCI Compliance. When processing payments, we all must adhere to PCI protocols — but by using Rainforest’s embedded components, you can greatly simply your PCI compliance requirements. Avoid direct access to card details by using Rainforest’s embedded components for secure transmission of card data to Rainforest. While everyone has a role to play in maintaining PCI compliance, let Rainforest take on the main responsibility, ensuring your merchant’s card data remains secure.
How do Merchants validate their PCI compliance?
For most Merchants, the Self-Assessment Questionnaire (SAQ) sufficiently validates PCI compliance. Filling out the SAQ, which is a questionnaire that can be completed in-house, helps organizations evaluate their security measures and demonstrate their compliance with PCI DSS. There are different types of SAQs, each tailored to different types of businesses and their specific payment processing methods. Your Rainforest integration style determines your SAQ type and if there's a need for further PCI compliance requirements.
Unsure about your PCI position? Review the Rainforest Responsibility Matrix and consult with a PCI Qualified Security Assessor to validate your compliance with PCI security requirements.
Integration | Requirement | Recommendation |
---|---|---|
Embedded Component | SAQ-A | If card data is collected via the Rainforest embedded component or the Platform is collecting card data is validated Level 1 Service Provider, Merchants have the lowest validation requirement and must complete an SAQ-A (22 questions). |
API | SAQ-A EP - or - SAQ-D | If the Merchant is handling card data, even if this data is not stored, PCI compliance is validated with a SAQ-A EP (41 questions). If the Merchant is storing card data, PCI compliance is validated with a SAQ-D (330+ questions). NOT RECOMMENDED |
Card Present Device | SAQ-B IP | If the Merchant processes transactions only through an IP-enabled card present device, PCI compliance is validated with an SAQ-B IP (30 questions). If the Merchant also processes e-commerce transactions, this SAQ does not apply. |
Platform Virtual Terminal | SAQ-C VT | If the Merchant has the ability to manual enter transactions through a virtual terminal or dashboard, SAQ-C VT (47 questions) is utilized to validate PCI compliance. |
Important Notes:
Merchants with over 6 million transactions a year are required to complete an third-party audit with a PCI Qualified Security Assessor.
Elements of PCI DSS 4.0 go into effect March 2025 and have vulnerability scanning requirements in addition to completing an SAQ.
Are Merchants required to provide proof of compliance?
Based on the merchant’s transaction volume, PCI validation may be required. Additionally, any merchants storing cardholder data must validate compliance an an annual basis.
Merchant Level | Volume | Requirements |
---|---|---|
Level 1 | Merchants processing more than 6 million credit card transactions annually. | Proof of compliance is required to be provided within 90-days of onboarding, and annually afterward. |
Level 2 | Merchants processing between 1 million and 6 million transactions annually. | Proof of compliance is required to be provided within 90-days of onboarding, and annually afterward. |
Level 3 | Merchants processing between 20,000 and 1 million e-commerce transactions annually. | Proof of compliance is required to be provided within 90-days of onboarding, and annually afterward. |
Level 4 | Merchants processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually. | Proof of compliance is not required |
Updated 20 days ago