Hi Greg,
That's correct; your company has to be assessed against PCI-DSS.
In PCI-DSS, there are only two levels for Service Providers, and the criteria are straightforward:
Level 1: Service providers that process, transmit and/or store more than 300,000 transactions per year.
Level 2: Service providers that process, transmit and/or store fewer than 300,000 transactions per year.
Different level means different annual validation criteria.
Very important, review the contract with your "PCI-DSS customers" you should have clauses related to PCI-DSS.
------------------------------
MarcoRicci
Senior Cyber Compliance Manager
------------------------------
Original Message:
Sent: May 27, 2021 02:26:03 PM
From: Greg Collins
Subject: Requirements for having PCI data pass through your system
Thanks Marco,
Is the sub-level of PCI-DSS Compliance that I could be certified for?
I was considering this against Open Banking, where they have a certification for the data holder i.e. Bank, and another certification for the Data Recipient i.e. a FinTech who might analyse your banking transactions.
------------------------------
Greg Collins
CTO
Original Message:
Sent: May 27, 2021 02:53:39 AM
From: Marco Ricci
Subject: Requirements for having PCI data pass through your system
Hi Greg,
Your company provide service in scope for PCI-DSS, and your customer should require proof of compliance against PCI-DSS.
Unfortunately, if you are in scope, you have to be compliant. Your customer is assessed probably as a Merchant, but your company has to be assessed as a PCI-DSS Service Provider. To understand the Service Provider level, you need to speak with your customer and QSA.
Without your compliance, even your customers are at risk of non-compliance.
Thanks,
------------------------------
Marco Ricci
Original Message:
Sent: May 27, 2021 12:19:49 AM
From: Greg Collins
Subject: Requirements for having PCI data pass through your system
We are a SaaS company and I have a PCI certified customer that would like to pass us audio calls, with those calls contain credit card information. My firm would remove the PCI information and analysis those calls, providing those insights back to the customer.
A concern has come up because we are not PCI certified, and we will be receiving the data. I'm interested in how other companies have dealt with this. All the PCI information is removed when we receive the data i.e. we never save or store this data.
Is there another way to work with PCI Compliant companies without having to be certified yourself?
------------------------------
Greg Collins
CTO
------------------------------