As a merchant, you are responsible for accepting payments in a PCI-compliant manner. To ensure your card acceptance environment is secure you’ll need to review and validate your PCI compliance once a year.
This involves filling out a Self-Assessment Questionnaire (SAQ). The type of SAQ you’ll need to complete depends on your Checkout.com integration. There are also assessment requirements based on your card transaction volume.
Please note: If you change how you integrate with us, you may need to re-certify your PCI compliance. For example, if you reintegrate from Frames to our Full Card API, you'll have more access to cardholder data, so your requirements may change.
Security Assessors (QSAs) are independent individuals and organisations approved by the PCI Security Standards Council. They can validate your adherence to the PCI DSS, help you choose the right SAQ for your business, and support you through the process.
We’ve partnered with SecurityMetrics, a QSA company, to help you with PCI compliance. After we approve your application, you'll receive an email explaining how to create your account with SecurityMetrics.
You can choose to use them or another QSA for PCI assistance. If you decide to register with SecurityMetrics, they’ll contact you annually to complete the validation process.
For questions about PCI compliance, visit the SecurityMetrics website and choose the appropriate contact option.
If you’re already PCI compliant through another QSA, you can opt out from using SecurityMetrics. In that case, you'll need to provide us with valid certification from your QSA attesting to your compliance.
Visa and Mastercard monitor how Checkout.com adheres to PCI compliance. They may request PCI DSS validation documents from us at any time and if we fail to provide the requested material, they can impose Non-Compliance Assessments that we may pass through under the terms of our agreement with your business.
For this reason, it’s important that you respond to any emails and remediation requests from your QSA promptly. By doing so, you can keep your cardholders’ details safe and avoid the risk of fines.
Important: Data security is extremely important to us. If you believe the security of your integration may have been compromised, or have any questions about your PCI obligations, contact us at [email protected].
Your business will be categorized under one of four PCI compliance levels, based on your card transaction count over a 12-month period.
Level 1 merchants are subject to more stringent requirements than level 2 merchants. You’ll be classed as a level 1 merchant if you process more than 6 million transactions annually.
If you fall under level 1 we will identify this and contact you to make sure you can provide the relevant documentation and stay compliant.
As a level 1 merchant, you’ll need to undertake an on-site assessment, in addition to the other PCI DSS requirements for level 2-4 merchants. Note that this assessment is not covered as part of the free service offered by SecurityMetrics. However, your Account Manager can facilitate the conversation with them to arrange this.
You’ll be classed as a level 2 merchant if you process between 1 and 6 million transactions annually. As a level 2 merchant, you’ll need to complete an Attestation of Compliance and have it validated by your QSA in addition to following the PCI DSS requirements for level 3 and 4 merchants. SecurityMetrics offers this as an extra service, for which they will bill you directly.
You’ll be classed as a level 3 merchant if you process between 1 million and 20,000 transactions annually, and as level 4 if you process less than 20,000 transactions annually. As a level 3 or 4 merchant, you’ll need to complete your Self-Assessment Questionnaire annually and conduct a quarterly scan of your environment. SecurityMetrics can help you with this process as part of their free service.
Jo Vane is our director of InfoSec Compliance and an expert in all things PCI DSS, risk, and governance.
Follow on Linkedin
.svg){kind=icon}
