Platform PCI Compliance Guidance
Overview of this guidance
Your PCI compliance requirements will vary based on your specific product set up, and there is often nuance in interpretation based on implementation and data flows. Here we provide you with some general guidance on what your PCI responsibilities may be depending on your integration type with Rainforest.
Please note that you may have other PCI compliance requirements, especially if you have other processor integrations or unique implementations. Rainforest recommends that you consult with a PCI Qualified Security Assessor (QSA) to understand your PCI compliance requirements and the most appropriate way to validate that compliance.
What is PCI DSS?
PCI DSS ( Payment Card Industry Data Security Standards) is a set of security standards that any entity handling, transmitting, or storing card details must follow in order to protect consumer card information. Compliance involves various security measures like encryption, regular system audits, and secure network practices to maintain the security and integrity of payment card information.
Who in the Rainforest payments ecosystem need to be PCI compliant?
All participants in the card payments ecosystem, including Rainforest, our Platform customers, and your Merchants, must all be PCI DSS compliant. Rainforest's compliance has been vetted by an independent PCI Qualified Security Assessor (QSA), and we hold a PCI Level 1 Service Provider certification (the most demanding level of certification).
As the Platform hosting Rainforest’s embedded payment component or using the Rainforest API to process payments, you also must adhere to PCI protocols. However, by using Rainforest’s embedded components to avoid direct access to card details, you can greatly simply your PCI compliance requirements. While everyone has a role to play in maintaining PCI compliance, let Rainforest take on the main responsibility, ensuring your merchant’s card data remains secure.
Who validates PCI compliance?
For Platforms, depending on your integration with Rainforest, you may either complete a Self Assessment Questionnaire (SAQ), or you may need a QSA to prepare a Report of Compliance (RoC) for you.
If you are using the Rainforest embedded payment component to process payments in your platform, Rainforest does not require you to provide evidence of your PCI compliance. However, if you use Rainforest’s API to process payments, since you are then directly touching cardholder data, Rainforest will require validation of your PCI compliance before processing.
How do Platforms validate their PCI compliance?
For many Platforms, the Self-Assessment Questionnaire (SAQ) sufficiently validates PCI compliance. Filling out the SAQ, which is a questionnaire that can be completed in-house, helps organizations evaluate their security measures and demonstrate their compliance with PCI DSS on an annual basis. There are different types of SAQs, each tailored to different types of businesses and their specific payment processing methods.
Your Rainforest integration type, as well as your other business flows and processes, determines your SAQ type and if there's a need for further PCI compliance requirements.
Note that if you’re processing more than 300k transactions Visa or Mastercard transactions, or over 2.5 million American Express transactions, per year through your software platform, you would be considered to be a Level 1 provided by the card networks. If that is the case, the card networks require an annual Report on Compliance (RoC) instead of an SAQ.
Overview of potential Platform PCI requirements depending on Rainforest integration
Integration | Description | Potential Platform PCI Requirements | Rainforest Validation Involvement |
---|---|---|---|
Rainforest Embedded Payment Component | Your Platform embeds Rainforest’s PCI Level 1 Certified payment components to securely collect and transmit cardholder payment information of your merchant's customers. | If < 300k transactions annually: Annual completion of a SAQ D (with the cardholder data environment NOT in the scope of the questionnaire) If > 300k transactions annually: Annual Level 1 Certification Report of Compliance (with the cardholder data environment NOT in the scope of the audit) | Rainforest will provide support and guides via our Responsibility Matrix to assist you in understanding which controls may be covered and where you may be able to leverage Rainforest's AoC (Attestation of Compliance). |
API Only | Platforms completely control the user interface collecting the cardholder data, and sends the payment data to the Rainforest API. | If < 300k transactions annually: Annual completion of a SAQ D (with the cardholder data environment IN SCOPE of the questionnaire) If > 300k transactions annually: Annual Level 1 Certification Report of Compliance (with the cardholder data environment IN SCOPE of the audit) | Rainforest will require validation of PCI compliance from the Platform. |
Hybrid (API + Components) | Platforms use embeddable components for some aspects of payment handling and the API for others. | Requirements will vary, but most likely include an annual Level 1 Certification Report of Compliance (with the cardholder data environment IN SCOPE of the audit) | Depending on the hybrid components, Rainforest may require validation of PCI compliance from the Platform. |
PCI Compliance for Platforms using Rainforest’s embedded payment component
What does this look like?
When you use Rainforest’s embedded payment component, we provide a small piece of code that your developers place in your software. This code creates a payment form where customers can enter their credit card information, bypassing your software, and going directly to Rainforest — so your software doesn’t see the cardholder data. This setup allows you to accept payments through your software without worrying about securing the information yourself, reducing your PCI compliance requirements since the Platforms are never interacting with, viewing, receiving, storing, or transmitting cardholder data.
What PCI responsibilities do Platforms have?
Under PCI DSS, the Platform is responsible for securing the hosting pages and supporting application that interacts with the embedded web components. Rainforest creates a safe and secure payment component to use, but you as the Platform need to ensure that the software that’s hosting the component is secure.
If processing fewer than 300k transactions annually, Platforms may be able to validate compliance via a SAQ-D questionnaire, with the cardholder data environment out of scope (because Rainforest covers it!).
If you process high volume of credit card transactions[1] you may have to complete a RoC instead. Note that this RoC may still be much reduced in scope, since the cardholder data environment is outsourced to Rainforest.
PCI Compliance for Platforms processing card data using Rainforest’s API
What does this look like?
Your software platform completely controls the user interface collecting the cardholder data, and send the payment data to the Rainforest API. For example, in this scenario, you might have a custom-designed payment form that captures the customer's payment details.
What PCI responsibilities do Platforms have?
Rainforest strongly discourages you from passing card information directly to our API. Even if you don’t store any payment information, since you’re directly touching the cardholder data, you are in scope. Rainforest can only help simplify your PCI compliance if you use our embedded components.
For Platforms using Rainforest’s API to process payments instead of the embedded component, your software platform is now part of the cardholder data environment and in scope, since you are collecting, sending, and or storing cardholder data in order to interface with the API.
If processing fewer than 300k transactions annually, Platforms may be able to validate compliance via a SAQ-D questionnaire, with the cardholder data environment out of scope. If you process high volume of credit card transactions[1] you may have to complete a RoC instead. We highly recommend working with a QSA to determine your compliance scope and validation requirements.
PCI Compliance for Platforms using a hybrid of the payment components and API
What does this look like?
Some Platforms may use a hybrid approach, with embeddable components for some aspects of payment handling and the API for others. For example, a company operates an online platform where customers can order from various stores. This platform wants to provide its own custom-designed payment form but also wants to ensure secure handling of cardholder data.
What PCI responsibilities do Platforms have?
Requirements will vary. Platforms will need to work with the Rainforest team and will likely need to complete a SAQ D, or a Level 1 Certification/RoC for the API usage.
Under PCI DSS, the Platform is responsible in the hybrid scenario for securing the hosting pages and supporting application that interacts with the embedded web components as well as securing all processing, storage, or transmission of cardholder data.
Definitions and Footnotes:
-
[1] If you’re processing more than 300k transactions Visa or Master card transactions, or over 2.5 million American Express transactions, per year through your software platform, you would be considered to be a Level 1 provided by the card networks. If that is the case, the card networks require an annual Report on Compliance (RoC) instead of an SAQ.
-
-
Purpose: Rainforest provides below a detailed matrix of PCI DSS 4.0 requirements, including the description of whether responsibility for each individual control generally lies with Rainforest, our Platform customers, or whether responsibility is shared between both parties. The matrix will also let Platforms know where you may be able to leverage Rainforest’s controls instead of creating your own.
-
Overview: The PCI DSS responsibility matrix is intended for use by Rainforest Platform customers and their Qualified Security Assessors (QSAs) for use in audits for PCI compliance. The responsibility matrix describes, in accordance with Requirement 12.8.5 and other requirements, the actions an Rainforest customer may be required take to maintain its own PCI compliance when cardholder data (CHD) and other sensitive data is passing through or stored on Rainforest systems.
-
Access: You may access and download the Rainforest Responsibility Matrix here: https://airtable.com/appW6bNzQCaOEYjD7/shrBszMdN3mMvKL4P/tblRn3MFBeTkp0Yhc
- Use the following to download the Responsibility Matrix for offline review:
-
-
Service Providers: A business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other services as well as hosting providers and other entities. If an entity provides a service that involves only the provision of public network access—such as a telecommunications company providing just the communication link—the entity would not be considered a service provider for that service (although they may be considered a service provider for other services).
- Note: Under PCI DSS, Platforms utilizing Rainforest embedded payment components may be classified as a Service Provider, requiring the completion of SAQ D or a Level 1 certifications and RoC (depending on your transaction processing volume).
-
Service Provider PCI Levels
- Level 1: Platforms with > 300k transactions a year, across all channels.
- Level 2: Platforms with < 300k transactions annually, across all channels.
Updated 20 days ago