Level 1 PCI Compliant
Spreedly is a Level 1 Service Provider. This is the highest level of PCI DSS compliance. You can access our current compliance documents below:
- Attestation of Compliance issued by 403 Labs
- ASV Scan Report Attestation of Compliance issued by 403 Labs
We are also a registered service provider with both Visa and Mastercard:
Who must be PCI compliant?
If you accept credit cards from your customers then you must be PCI compliant.
Many gateways and online payment processing solutions will claim their drop-in credit card widgets exclude you from worrying about PCI compliance. This is not true. Even if you are using a third party to handle the collection, processing, and storage of protected cardholder data, you must still be PCI compliant and follow the necessary certification process. Third party solutions, including Spreedly, help you reduce your PCI compliance burden but no one can eliminate it entirely. You still have to certify each year, but will often be able to do so with much less effort and expense than if you were processing and storing the card data yourself.
Proof of compliance
What is required to prove your PCI compliance is ultimately up to your merchant/acquiring bank and depends on a number of factors including the number of transactions you process annually. Generally, however, if you are using Spreedly you will rely on our L1 status and complete the relevant SAQ. Depending on which category you fall under, you may also be required to provide an up-to-date scan of your systems performed by an Approved Scanning Vendor (which must be repeated quarterly).
How do I self-assess?
This involves you reviewing your internal systems then completing a questionnaire and, depending on what self-assessment category you fall under, having an outside provider perform a security scan of your systems each quarter.
There are currently eight categories of self-assessment, but not all of these are applicable to e-commerce merchants. Your level of PCI scope will ultimately depend on how you capture and work with credit card data, but if you are using a third party service like Spreedly it is likely that you will be required to fill out either a SAQ A, SAQ A-EP or SAQ D. View the table to the right for more information:
|If your systems…||then use:|
|do not touch, process or store cardholder data, and do not serve any card collection forms (e.g. you use Spreedly’s iFrame)||SAQ A|
|do not touch, process or store cardholder data, but do serve card collection forms (e.g. you use Spreedly’s transparent redirect)||SAQ A-EP|
|do touch, process or store cardholder data||SAQ D|
Where can I find more information?
The PCI guidelines and their interpretations are constantly evolving. We regularly blog about PCI developments so check back regularly, but we have included some relevant posts below:
- PCI DSS v3.0 for Online Merchants
- Using an iFrame Payment Form with Spreedly
- The Path to PCI Compliance
- SAQ A-EP: A Big Shakeup for Online Merchants
For additional information, including copies of the PCI guidelines, explanatory background materials, downloadable SAQ forms and general instructions and guidelines, please visit the PCI Security Standards Council’s Documents Library.