COMPLIANCE
According to the PCI Council, an independent body created by the card networks in 2006, any business that accepts credit card payments and transmits, processes and / or stores the related data must follow the PCI standard.
The PCI standard refers to a set of 12 security standards that involve requirements such as encryption of cardholder data, managing firewalls, updating antivirus software and assigning unique IDs to each person with computer access, among other things.
Is PCI compliance a law?
The short answer is no, it is not a law. However, while PCI compliance is not a law – it’s usually part of your contractual agreement with your partners / processors. If you decide not to be PCI compliant, and your system gets compromised and you lose cardholder data, you’ll likely be liable for the cost of a forensic investigation from an external suppliers, and have to pay a fine for the lost cards, and your bank will probably require you to actually become compliant (with monthly penalties until you do).
Think of PCI compliance as mostly a form of insurance to protect you in the event that you end up getting cards stolen. You can save money by not having it, but you might end up with a very expensive bill if things go wrong. So treat it like any other risk, and weigh up the cost of compliance vs the potential costs of a breach.
And if you decide not to be compliant, then you need to make damn sure that you don’t end up losing cardholder data. One way to achieve this is by outsourcing to PCI Booking.
Read more with our Ultimate Guide to PCI Compliance
There are several reasons why it is beneficial for you to outsource your PCI compliance to PCI Booking:
Relying on Experts
The team at PCI Booking have decades of experience in the PCI compliance industry. Our team knows the ins and outs of the compliance, what can and cannot be done and have developed all the functions that a business would need to outsource their PCI compliance and still have access to perform all necessary actions on the cards.
Mitigating Cost and Risk
Becoming and maintaining PCI compliance on your own is very expensive and involves a lot of risk. Especially if you have to store a lot of cards of your customers. By outsourcing to PCI Booking, you eliminate the risk (you are not storing the card details yourself any more) and you reduce your fees by utilizing a simple SaaS service.
Maintaining Compliance is a Breeze
PCI compliance is based on usage volumes. The more cards you process each month, the higher the level of PCI compliance you need to comply with. Naturally, the higher the level, the more complex and stringent the requirements become.
Additionally, PCI compliance evolves over time – in 2016 the PCI council released an update to the standard from 3.1 to 3.2. In May 2018 they released an updated version 3.2.1, and in March 2022 they released version 4 which introduced 64 new requirements that organizations need to comply with, if applicable to their environments.
PCI Booking is PCI compliant level 1 – the highest level possible. When outsourcing to PCI Booking and utilizing our services, your company becomes PCI compliant level 1 overnight.
PCI Booking maintains compliance according to the latest version available of the standard. As of December 2023 (a full year and a half before required to do so), PCI Booking is PCI version 4 compliant. When outsourcing and utilizing our services, your company becomes PCI version 4 compliant overnight.
If, or should be said when, there is a new update of the PCI standard, you can rest assured that PCI Booking will update its systems to match, with little or no involvement from you.
Compliance Statement of PCI Booking
Companies that are PCI compliant receive an Attestation Of Compliance (AOC) from the Qualified Security Assessor (QSA) that performed the PCI audit on their business. Please contact our team to request a copy of our most recent AOC (keep in mind, there is a new AOC issued each year, usually around December).
Additionally, you can view our PCI certification here:
What About Me?
PCI Booking is not a security assessor and does not scan or audit your system. Additionally, there is nothing to scan for as, if you outsourced your credit card handling to PCI Booking, then your system does not handle the cards in the first place.
You are PCI compliant by signing off on the Self Assessment Questionnaire D for service providers (SAQ-D) where you indicate that you have outsourced your credit card processing and handling to PCI Booking. This document, along with the AOC of PCI Booking is sufficient documentation to show that you are PCI compliant.
For more information, and to receive a copy of our whitepaper on SAQ-D for Service Providers, please contact our team.
The PCI guidelines and their interpretations are constantly evolving. We regularly blog about PCI developments so check back regularly, here are some relevant posts.
For additional information, including copies of the PCI guidelines, explanatory background materials and general instructions and guidelines, please visit the PCI Security Standards Council’s Documents Library.