“If you are a merchant of any size accepting credit cards, you must be in compliance with PCI Security Council standards.”
– PCI Security Council
If you handle, process, transmit or store credit card data, you must comply with the Payment Card Industry Data Security Standards (PCI DSS). This means that even though you may not necessarily be the merchant of record, you are responsible for compliance as you are handling sensitive data. Assembly has been audited by a PCI-certified auditor and has achieved the highest level of certification; PCI Service Provider Level 1. However, this does not mean that your platform automatically receives the same certification.
PCI DSS Compliance Requirements
Even though Assembly processes and stores credit card data on your behalf, you will still need to be PCI compliant to some degree. The PCI Security Council provides guidelines to which level of compliance applies based on your involvement in the credit card data handling process. The latest standards are available here.
In 2015, PCI DSS 3.0 has introduced new standards that may impact your compliance requirements. A new, more comprehensive SAQ A-EP has been introduced which impacts anyone that may be using a ‘Direct Post’ solution to send card or payment data.
Fulfilling the PCI self-assessment
Your business will have to complete a self-assessment questionnaire (SAQ) in order to formally achieve a level of PCI compliance. Ensure that you have a completed copy in your records for auditing purposes.
If you are unsure about which self-assessment questionnaire is applicable to you, see the guidelines under “Which SAQ Best Applies to My Environment?” on the PCI SAQ Instructions and Guidelines.
Qualified assessors for attestation
If you need clarity, guidance, or advice on PCI requirements, it is recommended that you enlist a Qualified Security Assessor (QSA) who can help you understand and achieve your requirements.
Note that we do not complete the SAQ for you, nor can we attest that you are PCI-compliant. You or your organisation must work through an internal assessment, or with the help of a QSA, to attain compliance.
This method of integration requires your business to complete a SAQ A-EP (at a minimum).
Using the Assembly Card Accounts API requires you to handle sensitive credit card data. This method of integration requires your business to complete a SAQ D (at a minimum).