PCI Security Guide
The Payment Card Industry Data Security Standard (PCI DSS) applies to any entity that handles credit card information. Specifically, organizations that store, process, or transmit cardholder data are required to comply with PCI DSS.
Here’s a breakdown of who should be compliant:
Software Platforms
- Companies that provide point-of-sale (POS) systems, payment applications, or any technology that interacts with payment card data are required to comply with PCI DSS, as they can be involved in the processing or storage of cardholder data.
- Software platforms are also subject to different levels of compliance based on their transaction volume or the volume of cardholder data they handle:
- Level 1: Service providers processing more than 300,000 transactions per year or those that store, process, or transmit cardholder data for merchants that do.
- Level 2: Service providers processing less than 300,000 annually.
The integration method with Rainforest impacts your compliance scope and responsibilities as well as the compliance requirements for your merchants.
Integration | Requirement |
---|---|
Embedded Component | Rainforest collects and stores sensitive data reducing compliance burden on software platforms and merchants by maintaining secure and PCI DSS Level 1 certified Card Data Environment (CDE) secure throughout collection, transmission, and storage of covered data. RECOMMENDED |
API | As Platform is responsible for storing, processing, and/or transmitting sensitive payment-related data, Rainforest requires validation of PCI compliance. |
Hybrid (API + Components) | Responsibilities vary based on the information collected and passed via API. |
Based on your integration, you may be required to provide proof of your PCI compliance to Rainforest. To learn more, read more here.
Merchants
- Retailers and businesses that accept, process, store, or transmit cardholder data must comply with PCI DSS.
- This includes both physical stores and online merchants (e-commerce sites).
- Compliance depends on transaction volume and the method of card processing:
- Level 1: Merchants processing more than 6 million credit card transactions annually.
- Level 2: Merchants processing between 1 million and 6 million transactions annually.
- Level 3: Merchants processing between 20,000 and 1 million e-commerce transactions annually.
- Level 4: Merchants processing fewer than 20,000 e-commerce transactions or up to 1 million total transactions annually.
Merchants may be required to provide proof of compliance. To learn more about merchants compliance and validation requirements, read more here.
Compliance Requirements Based on Risk and Volume
The level of compliance needed is often based on the volume of transactions processed and the manner in which cardholder data is handled. Larger organizations and those with more complex systems (e.g., global retailers or service providers) typically need to undergo more thorough security assessments, while smaller businesses might only need to complete a self-assessment questionnaire or implement simpler security measures.
Key Areas of Compliance
- Data protection: Securely storing and transmitting cardholder data.
- Access control: Restricting access to cardholder data on a "need-to-know" basis.
- Network security: Protecting systems from external and internal threats.
- Regular monitoring and testing: Conducting vulnerability assessments and security testing.
PCI Validation Requirements
PCI compliance is generally validated with a Self-Assessment Questionnaire. Based on your volume and card data exposure, you may also require a third-party audit conducted by a PCI Qualified Security Assessor.
You should only complete one SAQ that best matches your overall operations. Platforms that process less than 300,000 transaction may still be required to complete a third-party audit for Level 1 compliance based on your integration method.
SAQ Type | # of Questions | Applicable For |
---|---|---|
SAQ A | 22 | Card-not-present merchants that do not store cardholder data |
SAQ A-EP | 41 | Card-not-present merchants that store or process cardholder data |
SAQ B | 27 | Card-present merchants that do not store cardholder data |
SAQ B-IP | 30 | Card-present merchants with IP-connected POS but no cardholder data storage |
SAQ C | 79 | Merchants with card-present transactions and store cardholder data |
SAQ C-VT | 47 | Merchants with card-not-present transactions via a virtual terminal |
SAQ D (Merchants) | 330+ | Merchants that store, process, or transmit cardholder data |
SAQ D (Service Providers) | 330+ | Service providers who store, process, or transmit cardholder data |
Updated 20 days ago