PCI Compliance Guide

This guide provides an overview on what PCI Compliance is, compliance levels and the options you have to integrate with Assembly’s solutions.

The Payment Card Industry Security Standards Council maintain a set of security standards - PCI Data Security Standards (PCI DSS) to protect the safety of card data. These security standards apply to every merchant, financial institution or other entity that stores, processes or transmits cardholder data.

PCI DSS helps you to understand why security matters, the security requirements, how to protect cardholder data, and minimise the chances of a security breach from malicious attacks. It's also mandated by the schemes that every merchant accepting card payments has to comply with PCI DSS requirements.

📘

Assembly can provide general advice around PCI compliance but you should always seek independent advice on your obligations.

Compliance Levels and SAQs

There are four merchant levels of compliance in which the card schemes categorise merchants. This has an impact on which Self Assessment Questionnaires (SAQs) is applicable to your business.

In general, you will not be eligible to use the more simplified SAQs to demonstrate compliance if you:

  • process over six million Visa transactions annually OR
  • process over six million MasterCard transactions annually OR
  • process over 2.5 million transactions with American Express OR
  • are classified as a Level 1 merchant by any of the card schemes

There are three common SAQs in the card-not-present payments acceptance space, namely:

SAQDescription
ACard-not-present merchants (e-commerce or mail/telephone-order), that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.

Not applicable to face-to-face channels.
A-EPE-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but can impact the security of the payment transaction. There is no electronic storage, processing, or transmission of cardholder data on merchant’s systems or premises.

Applicable only to e-commerce channels.
DAll merchants not included in descriptions for the above SAQ types.

Please refer to the PCI SAQ Instructions and Guidelines for full details around the SAQ options.

Integration Options

To help reduce the scope of your PCI compliance requirements, Assembly provides two Hosted solutions which manage the majority of PCI DSS’s requirements, and reduce your compliance burden.

Reduce the scope of your PCI compliance by:

  • Integrating to one of our Hosted solutions for collection of payment data (more details below)
  • Ensure secure hosting of your website and secure transmission of requests
  • Assess and submit your PCI compliance annually

Assembly also offers an API for secure card data acceptance. This allows you to have full control over the payment data and flow. You will usually need to undertake the compliance onsite assessment report should you choose to transmit card payment information securely via the API.

Hosted Form and Hosted Fields

Assembly’s Hosted solutions allow for card collection data to be embedded within your website through iFrames.

Hosted Form:

Serve all the card fields within a single iFrame.
Refer to the Integrating Hosted Form for Capturing a Credit Card guide.

Hosted Fields:

Serve card fields via multiple iFrames.
Refer to the [Integrating Hosted Fields (doc:integrating-hosted-fields) guide.

By integrating with these solutions, you are generally eligible for the simplest PCI validation SAQ-A. This is because both use iFrames to securely host and capture data via Assembly’s servers so that sensitive data does not touch your servers.

API

Assembly’s API solution allows you to host, capture and process sensitive card data prior to securely transmitting it to our servers.

You will be required to complete the highest PCI DSS scope (SAQ-D) and perform an extensive self-assessment. This may include filing a Report on Compliance (RoC) by a Qualified Security Assessor (QSA).

Refer to Assembly’s API guide for information on integrating via our API.

Assembly recommends integrating with one of the Hosted solutions for card acceptance to reduce your PCI compliance burden.