The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment.

Who must be PCI compliant?

If you accept credit cards from your customers, then you must be PCI compliant.

Many payment gateways and online payment processing solutions may claim that their credit card widget excludes you from worrying about PCI compliance. This is not true. Even if you are using a third party to handle the collection, processing, and storage of protected cardholder data, you must still follow the necessary certification process.

Third party solutions allow you to be PCI compliant with much less effort and expense than if you were processing and storing the card data yourself, but you still have to certify each year. Companies like dLocal can help reduce your PCI compliance burden, but no one can eliminate it entirely.

Proof of PCI Compliance

What is required to prove your PCI compliance is ultimately up to your merchant/acquiring bank, and it depends on several factors, including the number of transactions you process annually. If you process fewer than 6 million transactions per scheme (Visa, MasterCard) per year, you may be able to self-assess by completing one of the PCI DSS Self-Assessment Questionnaire (SAQ); this is a self-assessment tool to assess security for cardholder data.

Generally, however, if you are using dLocal you will rely on our PCI Level 1 status and complete the relevant SAQ.

How do I self-assess?

Performing a PCI compliance self-assessment requires you to complete a questionnaire and, depending on what self-assessment category you fall under, having an outside provider perform a quarterly security scan of your systems.

There are currently eight categories of self-assessment, but not all of these are applicable to online merchants. Your level of PCI scope will ultimately depend on how you capture and work with credit card data. If you are using a third party service like dLocal it is likely that you will be required to fill out either a SAQ A or SAQ D. View the table below for more information:

IF YOUR SYSTEMS	THEN USE	COMPLEXITY
Do not touch, process, or store cardholder data, and do not serve any card collection forms (e.g. you use dLocal’s Smart Fields)	SAQ-A	Lowest
Do touch, process, or store cardholder data	SAQ D	Highest

Where can I find more information?

For additional information, including copies of the PCI compliance guidelines, explanatory background materials, and general instructions and guidelines, please visit the PCI Security Standards Council’s Documents Library. You can find the latest version of the SAQ forms here.