Showing results for 
Search instead for 
Did you mean: 

PCI Compliance - Service Provider vs Merchant



We will be providing a service to a client, where the end user logged on to our system can submit their payment information to Authorize .Net.


I need help figuring out if we as a service provider need to be PCI Compliant.


We will either select the Accept Hosted option or Accept.js option (SAQ A or SAQ A-EP solutions.)


But I also found out here:, that PCI Valdiation requirements depend on the number of transactions as well, so does that fall on the merchant(the client) or us as service provider?


We will just route the payment information to Authorize .Net, and we will only keep the last four of card number/ bank account and the transaction ID if available.


So my question really is, whether

1. Only we need to be PCI Compliant

2. Only the merchant needs to be PCI Compliant

3. We both need to get the same level of compliance

4. We will need to get different levels of compliance


I couldn't really find any thing that differentiates Service Providers and Merchants, so not sure what needs to be done in this case.


Note: We will use the Merchant provided credentials while making calls to the Authorize .Net API.