About PCI Compliance
What is PCI Compliance?
PCI compliance is a process used by the Payment Card Industry (Visa, Mastercard, etc.) to ensure merchants handle card information in a safe manner.
You can learn more about PCI compliance from https://www.pcisecuritystandards.org/.
Am I required to be PCI compliant?
You are required to be PCI compliant if:
You accept gifts and/or payments through CDM+
You accept payment by credit card or debit card
ACH payments do not require PCI compliance, though the security practices to meet PCI compliance are valuable for ACH payments as well.
If you do not want to certify your organization's PCI compliance you can elect to pay a monthly PCI non-compliance fee of $45.00.
You can also stop accepting card payments. Contact CDM+ support to remove card payments from your merchant account.
How does this benefit me?
PCI compliance might seem like a daunting task, but for the majority of clients this is a simple process that helps to ensure the safety of your givers'/payers' financial information.
PCI compliance is not validated or submitted to any government agency, but it can be valuable during an audit or in the unfortunate case of a lawsuit against your organization relating to credit card fraud or a data breach.
PCI compliance can also give you a framework for routinely reviewing your security practices.
Doesn't Suran handle PCI compliance?
There are various levels of PCI compliance. Suran Systems, Inc. is PCI compliant as a payment application (PA-DSS). Our payment processor, Paragon Payment Solutions, is PCI compliant as a payment processor.
Your organization is also required to be PCI compliant as a merchant, even if you don't handle sensitive cardholder data directly.
Entity | Role | Exposure |
---|---|---|
You | Merchant | Provides a mechanism (CDM+) for givers/payers to transfer funds to you via a payment processor (Paragon) |
Suran | Payment Application | Transmits (but does not store) cardholder data to the payment processor |
Paragon | Payment Processor | Stores and transmits cardholder data to the card brands (Visa/Mastercard, etc.) |
Even if you qualify for the simplest level of PCI compliance—as most CDM+ clients do—you are still required to certify you've performed your due diligence in selecting providers and that you follow best-= practices for keeping card data safe.
You can reference the following documents for Suran's and Paragon's PCI compliance.
How do I verify PCI compliance?
In general we recommend you review the PCI DSS to understand PCI compliance. Functionally, merchants who process under 6 million credit card transactions annually need to complete a Self-Assessment Questionnaire, or SAQ. This form is a statement that your organization follows best practices as defined by the payment card industry ensure.
Suran's payment processor, Paragon Payment Solutions, has partnered with a company called Security Metrics to help you with this process. There are two steps:
Determine which SAQ applies to you (a process called scoping)
Complete your SAQ
You can reach out to Security Metrics directly, (801) 705-5700 , and they can assist you with your SAQ.
Please note the PCI Security Standards Council implemented a significant update to the PCI DSS effective April 1, 2024. If you have not yet renewed your PCI compliance for 2024, we strongly advise you to refer to information you received from Security Metrics regarding this important update. See https://www.securitymetrics.com/learn/pci-dss-version-4-0 for an overview of these changes.
We legally cannot provide you with any answers to the questions on your SAQ. You must answer the questions to the best of your knowledge.
We recommend you consult your organization’s legal counsel if you need assistance answering these questions.