Finally, a way to

Reduce your PCI risk

Questions about PCI compliance? Let us help.
Get answers to your questions
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

What is PCI Compliance?

PCI compliance is a set of rules that merchants must follow to minimize the risk and impact of data breaches. These rules were developed by the major credit card companies. The requirements vary depending on the merchant’s card transaction volume.  

All online merchants that accept credit card payments must be PCI compliant. Spreedly takes the pain out of compliance. With our secure PCI Level 1 card vault, you can significantly reduce your PCI scope and help avoid a costly and time-intensive on-site data security assessment.

Does my business need to comply?

Anyone who accepts cards as a form of payment must comply with PCI requirements.  This includes debit or credit cards, online and over-the-phone transactions.

What level of compliance is required?

There are four different levels of PCI compliance. The level a business must meet depends on their transaction volume.  

For example: an organization that has 6M or more transactions each year must meet PCI DSS Level 1 standards.
Annual Transaction Volume
Cost to Manage In House
6M+ transactions per year
1M-6M transactions per year
20K-1M e-commerce transactions per year
Up to 20K e-commerce transactions per year OR 1M transactions in a year

*The table is general guidance only. Merchants who have had a breach may be moved to a higher level of compliance.

Is it difficult to comply?

The level of compliance your business must meet depends on your credit card transaction volume and other criteria.  

PCI DSS compliance includes: 

  • 6 major objectives
  • 12 key requirements
  • 78 base requirements
  • 281 directives
  • 400+ test procedures

Credit card brands can fine merchants for non-compliance.  

How much does compliance cost?

Compliance can be time consuming and expensive.  

For many businesses, it can take a year and up to $50K-$70K or more to achieve and remain in Level 1 compliance on your own. A company is considered compliant only if they meet all of the requirements.  The cost is less for smaller businesses.

If you're a very large enterprise and need a PCI DSS assessment, expect to pay $70,000+ in total costs.

- SecurityMetrics

We only had about three months to fully build our
solution out, and Spreedly really helped us get
over the hump by allowing us to ensure that data
was protected in a PCI compliant way, right out of the box.

- Fattmerchant

Why does PCI compliance cost so much? Even if you have a security team, businesses must have third-party validation. 

Average cost for activities related to becoming PCI DSS compliant

Average Cost
Onsite audit
Vulnerability scans
Penetration testing
Training & policy development
Remediation (software & hardware updates)
$10,000- $500,000

Is there a way to make compliance easier?

You could qualify for a simpler four page SAQ instead of the rigorous 40-page SAQ A-EP by using a service like Spreedly. Spreedly is PCI Level 1 compliant, the highest and strictest level.

Some solutions may claim that their “drop-in” credit card widget excludes you from worrying about PCI compliance. But, even if you are using a third party to handle the collection, processing and storage of protected cardholder data, you must still follow the necessary certification process.

Third party solutions allow you to be PCI compliant with much less effort and expense than if you were processing and storing the card data yourself, but you still have to certify each year. Companies like Spreedly can help reduce your PCI compliance burden, but no one can eliminate it entirely.

Spreedly does the hard work for you, ensuring that sensitive card data never touches your servers. This takes the burden of compliance off of your shoulders. Our card data collection tools capture details while minimizing your PCI compliance scope.

"There's a lot of compliance and security issues that come along with taking payments. That's actually a big reason why we came to Spreedly."

- HealPay

Where can I get more information?

The PCI compliance guidelines and their interpretations are constantly evolving. We regularly blog about PCI developments so check back regularly, but we have included some relevant posts below:

For additional information, including copies of the PCI compliance guidelines, explanatory background materials, downloadable SAQ forms and general instructions and guidelines, please visit the PCI Security Standards Council’s Documents Library.

You can view Spreedly's PCI compliance documents here:

Russell D'Souza

Co-Founder of SeatGeek

We’ve talked to companies that have been forced to pull off this seamless checkout experience on their own and it’s been really great for us to find a partner who deals with the security and the regulations and the scrutiny that PCI compliance involves, and allows us to be more focused on building the consumer front end and be faster and more iterative.

Questions about PCI compliance? Let us help.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
mathias fonseca's photo
Hover me!
"Extremely clear documentation and awesome testing environment. It took me literally 20 minutes to test everything"
Mathias Fonseca
peter moody's photo
"Spreedly has allowed us to keep our development time focused on improving our platform.”
Peter Moody
Justin wheeler's photo
"Leaning on Spreedly's technology is going to allow you to get to market faster.”
Justin Wheeler
armando rivas logo
"Cabify is a global business, working with different gateways. In this scenario, the fact of being informed about their behaviour is key, as minimal issues could lead to a severe economic impact."
Armando Rivas
lance carlson's photo
"There's a lot of compliance and security issues that come along with taking payments. That's actually a big reason why we came to Spreedly."
Lance Carlson

Hundreds of Happy Customers

See why 500+ innovative companies use Spreedly to orchestrate their payments.