Chargebee - PCI DSS Compliance

About PCI DSS Compliance

Payment Card Industry Data Security Standard (PCI DSS) is a framework administered by the PCI Security Standards Council ( PCI SSC) to help secure and protect all payment card account data. Compliance to this standard demonstrates a commitment to protecting sensitive customer information, fostering trust and credibility within the financial ecosystem.

PCI DSS applies to all entities that store, process or transmit cardholder data (CHD) or sensitive authentication data (SAD), including merchants, payment processors, acquirers, issuers, and service providers or any other entity within the payment card ecosystem.

Overview of PCI DSS Requirements

PCI DSS provides a baseline of technical and operational requirements grouped under 12 requirements to meet the below objectives :

PCI DSS High Level Overview ( PCI DSS V4.0)
Objectives Requirements
Build and Maintain a Secure Network and Systems 1. Install and maintain network security controls
2. Apply secure configurations to all system components
Protect Account Data 3. Protect stored account data
4. Protect cardholder data with strong cryptography during transmission over open, public networks
Maintain a Vulnerability Management Program 5. Protect all systems and networks from malicious software
6. Develop and maintain secure systems and software
Implement Strong Access Control Measures 7. Restrict access to system components and cardholder data by business need to know
8. Identify users and authenticate access to system components
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks 10. Log and monitor all access to system components and cardholder data
11. Test security of systems and networks regularly
Maintain an Information Security Policy 12. Support information security with organizational policies and programs

How to get PCI DSS Compliant

The level of compliance against PCI DSS is dependent on the specifics of your business operations and the requirements of your merchant bank. When aiming for PCI compliance, businesses must first determine the applicable PCI level based on factors such as nature of business , methods of handling card data , transaction volume. Understanding these criteria is essential for tailoring compliance efforts effectively.

There are four levels of PCI compliance determined by the volume of credit card transactions your business processes during a 12-month period. These levels and criteria are directed by Payment Card Issuers such as VISA , Mastercard, American Express.

Level Transaction Volume Requirement
Level 1

Merchants with over 6 million transactions a year, across all channels.

  • Annual Report of Compliance by QSA or Internal Auditor (ROC)
  • Attestation of Compliance Form (AOC)
Level 2

Merchants with between 1 million and 6 million transactions annually, across all channels.

  • Annual self-assessment questionnaire (SAQ)
  • Attestation of Compliance Form (AOC)
Level 3

Merchants with between 20,000 and 1 million online transactions annually.

  • Annual self-assessment questionnaire (SAQ)
  • Attestation of Compliance Form (AOC)
Level 4

Merchants with fewer than 20,000 online transactions annually or any merchant that processes up to 1 million regular transactions per year.

  • Annual self-assessment questionnaire (SAQ) or alternative validation exercise as defined by Acquirer

Types of SAQ

If your PCI Compliance status falls within levels 2 to 4, your chosen payment integration method determines the specific SAQ type you'll need to complete. SAQs are categorized (A, B, C, D) based on how you handle card information. Let's explore SAQ types pertinent to businesses primarily handled by SaaS and eCommerce businesses -

SAQ Type Applies to
SAQ A

Card-not-present merchants (e-commerce or mail/telephone-order) that completely outsource all account data functions to PCI DSS validated and compliant third parties. No electronic storage, processing, or transmission of account data on their systems or premises. Not applicable to face-to-face channels. Not applicable to service providers.

SAQ A- EP

E-commerce merchants that partially outsource payment processing to PCI DSS validated and compliant third parties, and with a website(s) that does not itself receive account data but which does affect the security of the payment transaction and/or the integrity of the page that accepts the customer’s account data. No electronic storage, processing, or transmission of account data on the merchant’s systems or premises. Applicable only to e-commerce channels. Not applicable to service providers.

SAQ D

All merchants/service Providers not included in descriptions for the above SAQ types.

Chargebee and PCI DSS Compliance

Chargebee Billing Platform is a service provider for subscription and recurring billing solutions for companies worldwide and allows merchants to process online payments for subscription services on a recurring basis.

Chargebee is a PCI-DSS Level 1 Service Provider and certified as compliant with the Payment Card Industry Data Security Standard (PCI DSS) v4.0.

PCI Responsibility Matrix

PCI Responsibility Matrix provides a comprehensive overview of the PCI DSS requirements and allocates the responsibility for each control between Chargebee and our merchants depending on the way they use Chargebee.

To read more about the PCI responsibility matrix covering Chargebee and its merchants, please click here.

PCI compliance for merchants

PCI DSS applies to any merchant that stores, processes or transmits cardholder data (CHD). Chargebee’s PCI DSS Compliant platform supports in reducing the footprint of card data in your environment based on the Chargebee integration you choose. For comprehensive insights into PCI compliance recommendations across our integration offerings, please refer to our Help Docs.

FAQ

Q - What level and version of PCI Compliance does Chargebee hold ?

A - Chargebee is a PCI-DSS Level 1 Service Provider and is certified against the Payment Card Industry Data Security Standard (PCI DSS) v4.0

Q - Where Do I access the PCI SAQ Forms?

A - You can Download the SAQ forms directly from the official PCI site.

Q - Do I need to be PCI Compliant if I use Chargebee ?

A - PCI DSS applies to any merchant that stores, processes or transmits cardholder data (CHD). Please refer to the Help Docs to understand the PCI compliance recommendation based on the integration method you choose with Chargebee.

Q - How does Chargebee support PCI Compliance?

A - Chargebee offers its PCI DSS Compliant platform to reduce the footprint of card data in your environment (based on the Chargebee integration you choose). Chargebee, being a PCI DSS Level 1 compliant solution, supports the customers in meeting their PCI Compliance requirements effortlessly. For more information , we recommend you to contact your merchant bank account provider.

The above information is provided solely for informational purposes. We strongly recommend that you visit PCI DSS official website to determine the compliance level and SAQ that apply to your business.

Subscribe to the best subscription and revenue growth news, trends, and insights delivered straight to your inbox.