PCI DSS Compliance

Learn how Finix handles PCI DSS compliance.

The Payment Card Industry Data Security Standards (PCI DSS) is a set of information security standards created and managed by the Payment Card Industry Security Standards Council (PCI SSC) for organizations that store, process, or transmit credit card data.

The major card brands (including Visa, Mastercard, Discover, and American Express) require PCI DSS compliance.

Finix helps you and your users validate compliance with PCI DSS by providing the necessary forms and verifying the submitted information. Users can include any entity that stores, processes, or transmits credit card data.

PCI Levels

There are four levels of PCI compliance. If the requirements apply to you or a user, the entity will need to meet that level of PCI DSS compliance before it can process payments.

PCI Level	Applies to
PCI Level 1	Users that process over 6 million card transactions annually through all channels and regions. (card-present, ecommerce, etc).
PCI Level 2	Users that process between 1 to 6 million card transactions annually through all channels and regions. (card-present, ecommerce, etc).
PCI Level 3	Users that process between 20,000 to 1 million card transactions annually online (ecommerce only).
PCI Level 4	Users that process less than 20,000 card transactions online (ecommerce only) annually. Users that process up to 1 million card transactions annually through all channels and regions. (card-present, ecommerce, etc).

info

Finix is certified as a Level 1 Payment Card Industry Data Security Standards (PCI DSS) compliant Service Provider.

Validating PCI DSS Compliance

Every one of your sellers eligible to process payments is required to validate compliance with PCI DSS annually.

Sellers can validate compliance by completing and attesting to a Self Assessment Questionnaire (SAQ).

Self-Assessment Questionnaires (SAQs) are validation tools to aid entities in self-evaluating their compliance with PCI DSS. For PCI Levels 2-4, there are different SAQ types based on the manner of your payment integration.

Self-Assessment Questionnaire (SAQ)	Applies to
A	Card-not-present merchants that have fully outsourced all cardholder data functions to PCI DSS validated third party service providers with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
A-EP	E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
B	Sellers using only: Imprint machines with no electronic cardholder data storage; and/or. Standalone, dial-out terminals with no electronic cardholder data storage.
B-IP	Sellers using only standalone, PTS-approved payment terminals with an IP connection
C-VT	Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider.
C	Merchants with payment application systems connected to the Internet, no electronic cardholder data storage.
P2PE	Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution. With no electronic cardholder data storage.
D	SAQ D for Merchants: All merchants not included in descriptions for the above SAQ types. SAQ D for Service Providers: All service providers defined by a payment brand as eligible to complete a SAQ.

Each PCI DSS Self-Assessment Questionnaire comprises the following:

Questions associated with the PCI DSS requirements that are appropriate for your cardholder data environment (CDE).
Attestation of Compliance: The attestation contains your declaration of eligibility for completing the applicable SAQ and the results of a self-assessment requirements under PCI DSS.

Finix will evaluate your method of payment integration to help alleviate some of the PCI compliance burden. Finix takes care of the heavy lifting and creates the SAQ compliance forms your sellers need to complete. Finix pre-fills some information based on the information collected from you as part of the implementation process. For many organizations, this helps save countless hours of auditing and compliance checks.

Additionally, Finix actively monitors PCI compliance on an ongoing basis and will notify you in advance of any compliance validation issues or changes.

For information on how you and your sellers can validate compliance with PCI DSS, see Managing PCI Compliance.

Additional Materials

Additional articles and materials are also available to help you understand the Payment Card Industry Data Security Standards:

Everything You Need to Know About PCI Compliance
PCI Security Standards Council articles:

PCI SSC Glossary and Resources

Abbreviation	Name	Definition
AOC	Attestation of Compliance	A document to complete as a declaration of the results reflected in an associated Self-Assessment Questionnaire (SAQ).
ASV	Approved Scanning Vendor	An organization with a scan solution that is tested and approved by the PCI SSC to conduct external vulnerability scanning adhering to PCI DSS Requirement 11.2.2.
CDE	Cardholder Data Environment	The people, processes and technology that store, process, or transmit cardholder data.
CHD	Cardholder Data	At minimum, cardholder data consists of the full PAN (Primary Account Number), and may also include: cardholder name, expiration date and/or service code.
PAN	Primary Account Number	Also referred to as the account number and is a unique payment card number that identifies the issuer and the particular cardholder account.
PCI DSS	Payment Card Industry Data Security Standards	Document Library
PCI SSC	Payment Card Industry Security Standards Council	PCI DSS Help Site
PTS	PIN Transaction Security	PTS is a set of modular evaluation requirements managed by the PCI SSC for PIN acceptance Point-of-Interaction terminals.
QSA	Qualified Security Assessor	An independent security organization that has been qualified by the PCI SSC to validate an entity’s adherence to PCI DSS. A QSA employee is an individual who is employed by a QSA company and has satisfied all QSA requirements.
RoC	Report on Compliance	The ROC provides details about an entity’s environment and assessment methodology, and documents the entity’ compliance status for each PCI DSS requirement.
SAD	Sensitive Authentication Data	Security-related information used to authenticate cardholders and/or authorize card transactions (may include card validation codes/values - CVS/CVV, PINs, full track data from the magnetic stripe or equivalent on a chip).
SAQ	Self-Assessment Questionnaire	A validation tool intended to aid merchants and service providers in self-evaluating their compliance with PCI DSS.
	Service Provider	Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity.