PCI Security Guide

The Payment Card Industry Data Security Standard (PCI DSS) applies to any entity that handles credit card information. Specifically, organizations that store, process, or transmit cardholder data are required to comply with PCI DSS.

Here’s a breakdown of who should be compliant:

Software Platforms

• Companies that provide point-of-sale (POS) systems, payment applications, or any technology that interacts with payment card data are required to comply with PCI DSS, as they can be involved in the processing or storage of cardholder data.
• Software platforms are also subject to different levels of compliance based on their transaction volume or the volume of cardholder data they handle:
  • Level 1: Service providers processing more than 300,000 transactions per year or those that store, process, or transmit cardholder data for merchants that do.
  • Level 2: Service providers processing less than 300,000 annually.

The integration method with Rainforest impacts your compliance scope and responsibilities as well as the compliance requirements for your merchants.

Based on your integration, you may be required to provide proof of your PCI compliance to Rainforest. To learn more, read more here.

Merchants

• Retailers and businesses that accept, process, store, or transmit cardholder data must comply with PCI DSS.
• This includes both physical stores and online merchants (e-commerce sites).
• Compliance depends on transaction volume and the method of card processing:
  • Level 1: Merchants processing more than 6 million credit card transactions annually.
  • Level 2: Merchants processing between 1 million and 6 million transactions annually.
  • Level 3: Merchants processing between 20,000 and 1 million e-commerce transactions annually.
  • Level 4: Merchants processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually.

Merchants may be required to provide proof of compliance. To learn more about merchants compliance and validation requirements, read more here.

Compliance Requirements Based on Risk and Volume

The level of compliance needed is often based on the volume of transactions processed and the manner in which cardholder data is handled. Larger organizations and those with more complex systems (e.g., global retailers or service providers) typically need to undergo more thorough security assessments, while smaller businesses might only need to complete a self-assessment questionnaire or implement simpler security measures.

Key Areas of Compliance

• Data protection: Securely storing and transmitting cardholder data.
• Access control: Restricting access to cardholder data on a "need-to-know" basis.
• Network security: Protecting systems from external and internal threats.
• Regular monitoring and testing: Conducting vulnerability assessments and security testing.

PCI Validation Requirements

PCI compliance is generally validated with a Self-Assessment Questionnaire. Based on your volume and card data exposure, you may also require a third-party audit conducted by a PCI Qualified Security Assessor.

You should only complete one SAQ that best matches your overall operations. Platforms that process less than 300,000 transaction may still be required to complete a third-party audit for Level 1 compliance based on your integration method.