PCI Level 1 Compliant

Spreedly is a PCI Level 1 Service Provider. This is the highest level of PCI DSS certification. You can access our current compliance documents below:

We are also a registered service provider with both Visa and Mastercard:

Pci badge

Who must be PCI compliant?

If you accept credit cards from your customers then you must be PCI compliant.

Many payment gateways and online payment processing solutions may claim that their “drop-in” credit card widget excludes you from worrying about PCI compliance. This is not true. Even if you are using a third party to handle the collection, processing and storage of protected cardholder data, you must still follow the necessary certification process. Third party solutions allow you to be PCI compliant with much less effort and expense than if you were processing and storing the card data yourself, but you still have to certify each year. Companies like Spreedly can help reduce your PCI compliance burden, but no one can eliminate it entirely.

Proof of PCI Compliance

What is required to prove your PCI compliance is ultimately up to your merchant/acquiring bank, and it depends on several factors, including the number of transactions you process annually. Generally, however, if you are using Spreedly you will rely on our PCI level 1 status and complete the relevant SAQ. Depending on which category you fall under, you may be required to have an an Approved Scanning Vendor provide an up-to-date scan of your systems, performed quarterly.

How Do I Self-Assess?

Performing a PCI compliance self-assessment requires you to complete a questionnaire and, depending on what self-assessment category you fall under, having an outside provider perform a quarterly security scan of your systems.

There are currently eight categories of self-assessment, but not all of these are applicable to online merchants. Your level of PCI scope will ultimately depend on how you capture and work with credit card data, but if you are using a third party service like Spreedly it is likely that you will be required to fill out either a SAQ A, SAQ A-EP or SAQ D. View the table to the right for more information:

If your systems… then use:
do not touch, process or store cardholder data, and do not serve any card collection forms (e.g. you use Spreedly’s iFrame) SAQ A
do not touch, process or store cardholder data, but do serve card collection forms (e.g. you use Spreedly’s transparent redirect) SAQ A-EP
do touch, process or store cardholder data SAQ D

Where Can I Find More Information?

The PCI compliance guidelines and their interpretations are constantly evolving. We regularly blog about PCI developments so check back regularly, but we have included some relevant posts below:

For additional information, including copies of the PCI compliance guidelines, explanatory background materials, downloadable SAQ forms and general instructions and guidelines, please visit the PCI Security Standards Council’s Documents Library.

×
SAQ Description
A

Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. This would never apply to face-to-face merchants.

A-EP

E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.

B

Merchants using only:

  • Imprint machines with no electronic cardholder data storage; and/or
  • Standalone, dial-out terminals with no electronic cardholder data storage.

Not applicable to e-commerce channel

B-IP

Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage.

Not applicable to e-commerce channel

C-VT

Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage.

Not applicable to e-commerce channel

C

Merchants with payment application systems connected to the Internet, no electronic cardholder data storage.

Not applicable to e-commerce channel

P2PE-H

Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage.

Not applicable to e-commerce channel

D

All other merchants not included in descriptions for the above SAQ types, and all service providers defined by a payment card brand as eligible to complete an SAQ