We've seen advice in the marketplace that suggests merchants don't need to worry about PCI compliance as long as sensitive credit card data is securely encrypted. If this advice is coming from a payment provider that enables you to host or operate your own payment page, then the advice is incorrect at best and misleading at worst. Sometimes, in the fine print, providers will say that you need to provide compliance documentation on demand, while using large letters to tell you they've got you covered. Be suspicious of any provider who says that you don't need to be concerned about PCI compliance. The truth is that every merchant who accepts credit cards needs to be compliant.
According to the PCI Security Standards Council, the Self Assessment Questionnaire (SAQ) is the form you'll need to fill out to show you have the proper security and validation requirements in place. This form can be found on the PCI website and must be completed by every merchant. It's the last detail that confirms your PCI certification.
It's true that tools like Braintree's transparent redirect, client-side encryption and vault bring you 90% or more of the way towards compliance, and they eliminate the vast majority of PCI compliance burden you would otherwise face. That's why they're vital tools. But the fact is that every level 1 - 3 merchant needs to fill out an SAQ to prove their compliance. Even if a payment provider is encrypting and storing the payment information, every merchant accepting credit cards still needs to confirm their PCI compliance. Depending on your merchant level, there are some additional validation requirements that you'll need, including a network scan.
If a company isn't PCI compliant, then they risk some hefty penalties. These penalties include financial and operational consequences that can disrupt their business. That's what we're helping merchants avoid.
For some merchants, their business model doesn't qualify them to prove their compliance through an SAQ form. The PCI Security Standards Council requires these merchants to confirm their compliance with a Qualified Security Assessor (QSA). Working with a QSA typically costs anywhere from $100 - $1,000. A full QSA assessment could cost tens of thousands of dollars and can be quite time-consuming if you do it on your own. Because of this, we don't want you to have to navigate this alone. Instead, Braintree partners with a QSA at no cost to you. The QSA will help you fill out, submit, and file everything you need. We want to make it as convenient as possible.
We're here to help. If you have any questions about PCI compliance, SAQ's or QSA's, just let us know. We'd love to hear from you.