PCI Compliance

The acronym “PCI” stands for “Payment Card Industry.” The full name of the organization is “The PCI Security Standards Council,” which is an organization founded by American Express, Discover, JCB International, MasterCard, and Visa. Their website is here.

Do You Need to Comply with PCI Standards?

Everyone who accepts credit cards must be compliant with PCI data security standards. But the process of validating your company’s compliance varies widely, depending on your type & size of business.

The PCI-DSS Standard

PCI defines a number of security standards. The one that’s relevant for Chargify and our merchants is called “PCI-DSS,” which stands for “PCI Data Security Standard.”

PCI-DSS covers various things about your business, like:

  • Handling of data by your computer systems.
  • Separation of program execution and data storage.
  • Guarding against employee theft of data.
  • Guarding against internet-based intrusions.
  • Proper disposal of hard drives.
  • Tracking of human access to hardware.
  • Ensuring that software developers cannot directly change production systems without management oversight.

If you’re a small or medium-sized business that uses Chargify for all functions where credit card data is involved, you’ll just need to do a self-assessment.

PCI Level 1

PCI divides merchants into 4 Levels.

Chargify is a PCI Level 1 merchant. For more information on our security compliance, please view our security validations here.

  • More than 6,000,000 Visa or MasterCard transactions per year.
  • More than 2,500,000 American Express transactions per year.
  • Any merchant that Visa or MasterCard determines should meet the Level 1 merchant requirements to minimize risk to the system.
  • Any MasterCard merchant who had account data compromised in the previous year.
  • Any entity that handles credit card data and/or provides card processing services on behalf of other merchants.

PCI Level 2

  • 1,000,000 to 6,000,000 Visa or MasterCard transactions per year.
  • 50,000 and 2,500,000 American Express transactions per year.

PCI Level 3

  • 20,000 to 1,000,000 Visa or MasterCard transactions per year.
  • 50,000 American Express transactions per year.

PCI Level 4

  • Fewer than 20,000 Visa or MasterCard transactions per year
  • Note: American Express does not use level 4.

What Does My PCI Level Mean for Me?

Look at the requirements above and see which PCI Level is right for your business.

  • If you’re Level 1 or 2, then you need to hire an auditor to verify your compliance with the PCI-DSS Standard.
  • If you’re Level 3 or 4, then you can do your own Self-Assessment of compliance.

If you’re a small/medium business and you rely on Chargify for all of your credit card data-handling operations. Chargify hanldles the heavy lifting of PCI-related concerns. Please note that you, as a merchant, can self-assess your PCI level, if you are level 3 or 4.

PCI Self-Assessment for Merchants in Levels 3 & 4

PCI has developed a set of Self-Assessment Questionnaires (SAQs) that can be used by Level 3 and Level 4 merchants. These questionnaires are referred to as “SAQs”. They help you figure out if you’re compliant with the PCI-DSS standards.

SAQ A

Chargify merchants that use Public Signup Pages will qualify for SAQ-A.

Applies if: All cardholder data functions are outsourced to someone like Chargify. You have no electronic storage, no processing, no transmission of cardholder data, no web pages hosted by you that even “kind of” touch credit card data (see below for what “kind of” means).

  • This is the proper questionnaire for merchants who use Chargify-hosted pages for all collection and updating of consumer’s card data. You can use our consumer signup pages, card update pages, and consumer self-service Portal.
  • You will be asked to confirm that Chargify is PCI compliant, and you can do this by checking our Certificate of Compliance, located here.
  • This is not the proper questionnaire if you collect card data on your own SSL-secure web page and then transmit the data to Chargify via our API. In 2015, you want to avoid doing this unless you are okay with annual PCI audits.
  • This is not the proper questionnaire if you collect card data using a “transparent redirect” function such as Chargify Direct, or if you use a JavaScript “drop-in” library from some payment gateways, where you host your own forms but all credit card data passes directly from consumers to Chargify servers. These methods are what we call “kind of” touching credit card data. See SAQ A-EP, below.

SAQ A-EP

Applies if: You are a merchant that partially outsources everything credit card -related to a company like Chargify. Regarding the meaning of “partially”, here’s a summary from the SAQ A-EP document itself, “This SAQ has been created to address requirements applicable to e-commerce merchants with a website(s) that does not itself receive cardholder data but which does affect the security of the payment transaction and/or the integrity of the page that accepts the consumer’s cardholder data.”

This is the proper questionnaire for merchants who touch credit card data with their own web pages… those who use a “transparent redirect” function such as Chargify Direct, or those who use a JavaScript “drop-in” library from some payment gateways, where you host your own consumer-facing forms but all credit card data passes directly from consumers to Chargify servers.

You will be asked to confirm that Chargify is PCI compliant, and you can do this by checking our Certificate of Compliance, located here.

SAQ B

Applies if: Merchant only uses physical card imprint machines or stand-alone dial-out terminals. No electronic cardholder data storage.

  • No internet connection with regard to card data, which pretty much eliminates all Chargify merchants.

SAQ C

Applies if: Payment application connected to the Internet. No electronic cardholder data storage.

  • This is the proper questionnaire if you collect card data on your own SSL-secure web page and then transmit the data to Chargify via our API.

SAQ D

Applies if: All other merchants not covered above, and service providers.

  • This questionnaire applies to oddball merchants, and to companies like Chargify, that provide services to others.

Where Do You Get the SAQ Forms?

Download the SAQ forms directly from the PCI site.

  • For details regarding the Visa PCI Level criteria & validation requirements, please click here.

  • For details regarding the MasterCard PCI Level criteria & validation requirements, please click here.

  • For details regarding the American Express PCI Level criteria & validation requirements, please click here.