PCI Compliance

Spreedly’s PCI compliance documents

• PCI Attestation of Compliance (issued by Sikich)
• ASV Scan Report Attestation of Compliance issued by Clone Systems
• Spreedly's PCI Responsibility Matrix
• PCI-DSS 4.0 Bridge Letter

What is PCI Compliance?

PCI compliance is a set of rules that merchants must follow to minimize the risk and impact of data breaches. These rules were developed by the major credit card companies. The requirements vary depending on the merchant’s card transaction volume.

Does my business need to comply?

Anyone who accepts cards as a form of payment must comply with PCI requirements.  This includes debit or credit cards, online and over-the-phone transactions.

There are four different levels of PCI compliance. The level a business must meet depends on their transaction volume.

Level 1: 6M+ transactions per year
Level 2: 1M-6M transactions per year
Level 3: 20K-1M e-commerce transactions per year
Level 4: Up to 20K e-commerce transactions per year OR 1M transactions in a year

PCI Compliance For eCommerce Platforms

Is it difficult to comply?

The level of compliance your business must meet depends on your credit card transaction volume and other criteria.

PCI DSS compliance includes:
- 6 major objectives
- 12 key requirements
- 78 base requirements
- 281 directives
- 400+ test procedures

The PCI Compliance Checklist

How much does compliance cost?

Compliance can be time consuming and expensive. For many businesses, it can take a year and up to $50K-$70K or more to achieve and remain in Level 1 compliance on your own. A company is considered compliant only if they meet all of the requirements. The cost is less for smaller businesses.

Average cost for activities related to becoming PCI DSS compliant:
Onsite audit: $40,000
Vulnerability scans: $1,000
Penetration testing: $15,000
Training & policy development: $5,000
Remediation (software & hardware updates): $10,000- $500,000

The Real Cost of PCI Compliance

Is there a way to make compliance easier?

Third party solutions allow you to be PCI compliant with much less effort and expense than if you were processing and storing the card data yourself, but you still have to certify each year. Companies like Spreedly can help reduce your PCI compliance burden, but no one can eliminate it entirely.

Spreedly does the hard work for you, ensuring that sensitive card data never touches your servers. This takes the burden of compliance off of your shoulders. Our card data collection tools capture details while minimizing your PCI compliance scope.

Spreedly is PCI Level 1 compliant, the highest and strictest level. Some solutions may claim that their “drop-in” credit card widget excludes you from worrying about PCI compliance. But, even if you are using a third party to handle the collection, processing and storage of protected cardholder data, you must still follow the necessary certification process.

What's Coming Next With PCI DSS 4.0

Where can I get more information?

For additional information, including copies of the PCI compliance guidelines, explanatory background materials, downloadable SAQ forms and general instructions and guidelines, please visit the PCI Security Standards Council’s Documents Library.