If you accept credit cards, you have to be PCI compliant. While there are some ways to lean on your payment processor to make compliance easier, you (as the merchant) still remain responsible for those efforts.
How the Right Payment Processor Can Reduce the Burden of Compliance
The right payment processor can dramatically reduce how much work you actually have to do. You’ll still have to make sure you own people and processes are PCI-compliant (and document/report on your efforts), but the right technologies can help you avoid starting from scratch. That can make the difference between a 300-question nightmare and a quick 22-question questionnaire.
Understanding where your responsibility ends and where your processor’s support begins is the key to staying compliant without wasting time, money, or energy.
Your PCI Responsibilities as a Merchant
The Payment Card Industry Data Security Standard (PCI DSS) exists to make sure merchants are appropriately protecting cardholder data is protected – not just when the customer hands over their card, but for the entire time that data is processed, transmitted, or stored.
As a merchant, you’re responsible for:
- Making sure your people follow secure practices (e.g., no writing down card numbers, no emailing card data)
- Making sure your processes don’t expose cardholder data
- Ensuring your systems are configured correctly
- Choosing reliable vendors who are up-to-date on their own compliance efforts
- Completing and submitting:
- A Self-Assessment Questionnaire (SAQ), for smaller merchants, or
- A third-party audit, if over certain thresholds for transaction volume
That submission ultimately goes to your acquirer (your merchant bank), not your processor.
Even if you outsource everything technical, accountability still sits with you.
What Your Payment Processor Does Handle
Your payment processor can:
- Provide PCI-compliant payment infrastructure
- Make recommendations for how you configure it (even if you’re using compliant software, you still make the business decisions on how it’s used; that’s why the responsibility still falls on your as the merchant)
- Tokenize or encrypt credit card data so it never touches your systems (or interacts with your systems in as few places as possible)
- Offer hosted payment pages for your e-commerce environments or secure terminals for your retail stores
- Supply documentation to support your compliance submission
Collectively, this can reduce your PCI scope – which means less work and less stress for your own internal team.
Why This Distinction Matters
Merchants often run into trouble when they assume:
- “We’re compliant because our processor is compliant”
- “No one ever told us to submit anything”
- “We’ve never had a breach, so it must be fine”
Unfortunately, PCI compliance is enforced after something goes wrong – or when fees and penalties start appearing.
Understanding your role upfront helps you avoid non-compliance fees, reduce the risk of a breach, and build a sustainable security program without diverting valuable internal resources away from the rest of their work.
Streamlining Your PCI Compliance Efforts
Your payment processor does not make you PCI compliant. The right processor, however, can serve as a partner for reducing your scope, guiding your through your requirements, and making compliance achievable.
At Curbstone, we’ve helped hundreds of merchants simplify the PCI compliance process. With easy-to-use tools for processing e-commerce, mail order/phone order, and retail/EMV payments, you get secure, integrated options for all the ways you do business.
Ready to take the first step towards better payments? Contact us today to get started.
