Overview

“If you are a merchant of any size accepting credit cards, you must be in compliance with PCI Security Council standards.”

– PCI Security Council

If you handle, process, transmit or store credit card data, you must comply with the Payment Card Industry Data Security Standards (PCI DSS). This means that even though you may not necessarily be the merchant of record, you are responsible for compliance as you are handling sensitive data. Assembly has been audited by a PCI-certified auditor and has achieved the highest level of certification; PCI Service Provider Level 1. However, this does not mean that your platform automatically receives the same certification.

PCI DSS Compliance Requirements

Even though Assembly processes and stores credit card data on your behalf, you will still need to be PCI compliant to some degree. The PCI Security Council provides guidelines to which level of compliance applies based on your involvement in the credit card data handling process. The latest standards are available here.

In 2015, PCI DSS 3.0 has introduced new standards that may impact your compliance requirements. A new, more comprehensive SAQ A-EP has been introduced which impacts anyone that may be using a ‘Direct Post’ solution to send card or payment data.

Fulfilling the PCI self-assessment

Your business will have to complete a self-assessment questionnaire (SAQ) in order to formally achieve a level of PCI compliance. Ensure that you have a completed copy in your records for auditing purposes.

If you are unsure about which self-assessment questionnaire is applicable to you, see the guidelines under “Which SAQ Best Applies to My Environment?” on the PCI SAQ Instructions and Guidelines.

Qualified assessors for attestation

If you need clarity, guidance, or advice on PCI requirements, it is recommended that you enlist a Qualified Security Assessor (QSA) who can help you understand and achieve your requirements.

Note that we do not complete the SAQ for you, nor can we attest that you are PCI-compliant. You or your organisation must work through an internal assessment, or with the help of a QSA, to attain compliance.

Using PromisePay.js

Assembly provides a Javascript tool to help you potentially reduce your PCI compliance burden. Use PromisePay.js to transmit credit card data securely from your users browser window direct to Assembly via an iFrame transport tunnel, served from a promisepay.com domain, and controlled by Assembly. 

This method of integration requires your business to complete a SAQ A-EP (at a minimum).

Assembly API

Using the Assembly Card Accounts API requires you to handle sensitive credit card data. This method of integration requires your business to complete a SAQ D (at a minimum).

Did this answer your question?