topic PCI Compliance - Service Provider vs Merchant in Integration and Testing https://community.developer.cybersource.com/t5/Integration-and-Testing/PCI-Compliance-Service-Provider-vs-Merchant/m-p/71683#M44164 <P>Hi,</P><P>&nbsp;</P><P>We will be providing a service to a client, where the end user logged on to our system can submit their payment information to Authorize .Net.</P><P>&nbsp;</P><P>I need help figuring out if we as a service provider need to be PCI Compliant.</P><P>&nbsp;</P><P>We will either select the Accept Hosted option or Accept.js option (SAQ A or SAQ A-EP solutions.)</P><P>&nbsp;</P><P>But I also found out here: <A href="https://www.authorize.net/resources/blog/understanding-pci-compliance.html" target="_blank">https://www.authorize.net/resources/blog/understanding-pci-compliance.html</A>, that PCI Valdiation requirements depend on the number of transactions as well, so does that fall on the merchant(the client) or us as service provider?</P><P>&nbsp;</P><P>We will just route the payment information to Authorize .Net, and we will only keep the last four of card number/ bank account and the transaction ID if available.</P><P>&nbsp;</P><P>So my question really is, whether</P><P>1. Only we need to be PCI Compliant</P><P>2. Only the merchant needs to be PCI Compliant</P><P>3. We both need to get the same level of compliance</P><P>4. We will need to get different levels of compliance</P><P>&nbsp;</P><P>I couldn't really find any thing that differentiates Service Providers and Merchants, so not sure what needs to be done in this case.</P><P>&nbsp;</P><P>Note: We will use the Merchant provided credentials while making calls to the Authorize .Net API.</P> Thu, 23 Apr 2020 16:46:35 GMT alimalik 2020-04-23T16:46:35Z PCI Compliance - Service Provider vs Merchant https://community.developer.cybersource.com/t5/Integration-and-Testing/PCI-Compliance-Service-Provider-vs-Merchant/m-p/71683#M44164 <P>Hi,</P><P>&nbsp;</P><P>We will be providing a service to a client, where the end user logged on to our system can submit their payment information to Authorize .Net.</P><P>&nbsp;</P><P>I need help figuring out if we as a service provider need to be PCI Compliant.</P><P>&nbsp;</P><P>We will either select the Accept Hosted option or Accept.js option (SAQ A or SAQ A-EP solutions.)</P><P>&nbsp;</P><P>But I also found out here: <A href="https://www.authorize.net/resources/blog/understanding-pci-compliance.html" target="_blank">https://www.authorize.net/resources/blog/understanding-pci-compliance.html</A>, that PCI Valdiation requirements depend on the number of transactions as well, so does that fall on the merchant(the client) or us as service provider?</P><P>&nbsp;</P><P>We will just route the payment information to Authorize .Net, and we will only keep the last four of card number/ bank account and the transaction ID if available.</P><P>&nbsp;</P><P>So my question really is, whether</P><P>1. Only we need to be PCI Compliant</P><P>2. Only the merchant needs to be PCI Compliant</P><P>3. We both need to get the same level of compliance</P><P>4. We will need to get different levels of compliance</P><P>&nbsp;</P><P>I couldn't really find any thing that differentiates Service Providers and Merchants, so not sure what needs to be done in this case.</P><P>&nbsp;</P><P>Note: We will use the Merchant provided credentials while making calls to the Authorize .Net API.</P> Thu, 23 Apr 2020 16:46:35 GMT https://community.developer.cybersource.com/t5/Integration-and-Testing/PCI-Compliance-Service-Provider-vs-Merchant/m-p/71683#M44164 alimalik 2020-04-23T16:46:35Z