This article is about PCI Compliance. We’ll explain what PCI is and the difference between PCI DSS (Payment Card Industry Data Security Standard), PCI SSF (Payment Card Industry Software Security Framework) and PA DSS (Payment Application Data Security Standard). You’ll also find information about Spektrix' own PCI compliance and information on completing PCI Self-Certification (SAQ).
What is PCI compliance?
PCI compliance is adhering to a set of requirements set by the Payment Card Industry (PCI) to ensure that all companies that process, store or transmit card data maintain a secure environment.
The rules which you must adhere to increases in number and complexity depending on the scale and risk profile of your organisation. The more ways you take card payments (online, in person, telephone sales) and store data can increase the risk of data loss.
For example, taking payments only through a card machine requires less rules than if you decide to take payments online, over the phone, or store cards in the Wallet section of the Customer Record.
What is PCI DSS, PCI SSF and PA DSS?
You may come across the terms PCI DSS (Payment Card Industry Data Security Standard), PCI SSF (Payment Card Industry Software Security Framework) and PA DSS (Payment Application Data Security Standard) when reading PCI documentation.
- PCI DSS: A set of global security standards governed by the Payment Card Industry Security Standards Council (PCI SSC). The aim of the scheme is to secure card transactions against data theft and fraud.
- PCI SSF: A replacement standard for PA DSS. It is comprised of the Secure Software Standard and Secure Software Lifecycle (SLC) standards.
PA DSS is a set of requirements to help software vendors develop secure applications for card transactions. This was retired in October 2022 and replaced with PCI Software Security Framework (PCI SSF).
For more information on the differences between SSF and PA DSS, you can read the following blog posts from Payment Card Industry Security Standards Council:
Is my organisation PCI compliant?
Spektrix doesn’t provide advice on your own PCI compliance as adhering to the PCI standards covers more than just your use of Spektrix.
PCI compliance covers anything from handling card holder data in other areas of your organisation (cafe, gift shop, etc) to internal processes, staff training and storing card receipts. You should have your own internal procedures to understand the scope of your cardholder data environment.
Is Spektrix PCI Compliant?
Spektrix is a Level 1 PCI compliant service provider. Read our Attestation of Compliance for more information.
The Payment Service Providers that Spektrix integrates with are Level 1 service providers. You can find their compliance information below:
If your Payment Service Provider is Worldpay, Authorize.Net or Moneris, get in touch with them to request their PCI certification.
Completing PCI Self-Certification Questionnaires
Most Merchant/Acquiring Banks will regularly ask you to complete a PCI Self-Assessment Questionnaire (SAQ). The SAQ is used as a validation tool to perform and report the results of your PCI DSS self-assessments. There are different SAQ versions depending on how your business handles cardholder data.
Read the latest SAQ Instructions and Guidelines document in the PCI Security Standards Document Library. By searching with the term ‘SAQ,’ you’ll also find links to each of the Self-Assessment Questionnaires in PDF format.
TIP: If you process above a certain number of transactions per year, your compliance assessment must be done by a Qualified Security Assessor (QSA) or your own Internal Security Assessor (ISA). For more information, contact the Security Standards Council.
If you have any questions about the Self-Assessment Questionnaire, contact the organisation that requested this. This is usually your Merchant/Acquiring Bank.
This article should give you the information and resources you need to understand PCI Compliance.