PCI Compliance

Last updated:

What is PCI?

The PCI DSS (Payment Card Industry Data Security Standard) council was created by the five major networks (Visa, MasterCard, Discover, JCB, and American Express) with the objective to secure cardholder data.  PCI DSS standards ensure that all providers, merchants, platforms, and processors continually secure card and cardholder data commensurate with their size, processes, and providers.  Anyone that stores, processes, or transmits cardholder data is bound by the PCI DSS standards.

The PCI DSS Council has a knowledge base of resources to help determine where you fit in the payment ecosystem and what is required for your business type.  Revolv3 also has internal resources to help you through this process, maintain compliance, or if you are required to have an annual audit, recommend providers.

Revolv3 is PCI Level 1

Revolv3 maintains the highest level of PCI compliance commonly referred to as PCI Level 1.  This level of compliance requires ongoing scans and penetration testing along with an annual audit and on-site visit performed by a QSA (Qualified Security Assessor).  Our most recent audit is available in the AOC on this page or through the AOC link.  

Merchants or platforms using Revolv3 can access our latest AOC on this page that can be used to prove PCI compliant providers for your own audit.    

On March 31st, 2022 Version 4 of the PCI DSS requirements were published.  If you are currently integrated to version (3.2.1), your integration is valid until March 2024, but it’s recommend you begin the work to reach level 4 compliance.  

  • Website refers to Revolv3, Inc., accessible from http://www.revolv3.com.
  • You means the individual accessing or using the Service, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable.
    Under GDPR (General Data Protection Regulation), You can be referred to as the Data Subject or as the User as you are the individual using the Service.

What level of PCI is right for you?

There are a number of factors that determine a merchant’s required PCI scope, but generally this is graded on the number of transactions processed annually.

  • Level 1:  Merchants that process over 6 million card transactions annually.
  • Level 2:  Merchants that process between 1 and 6 million transactions annually.
  • Level 3:  Merchants that process 20,000 to 1 million transactions annually.
  • Level 4:  Merchants that process fewer than 20,000 transactions annually.

While Level 1 Merchants provide their AOC, merchants outside Level 1 will complete an SAQ annually to attest their compliance.

SAQ Alphabet Soup (Card Not Present only)

  • SAQ A: Applies to Card Not Present merchants that outsource all card processing to PCI compliant vendors.
  • SAQ A-EP: Applies to Card Not Present merchants who’s websites is managed in-house but the card processing is outsourced to PCI compliant vendors.
  • SAQ B: Applies to Card Not Present merchants that control how card data is directed to payment processors but never receive the data themselves.
  • SAQ C-VT: Applies to merchants that process card data in a web-based virtual terminal.  This data would be entered to the virtual terminal manually.
  • SAQ C: Applies to merchants that don’t store cardholder data but have payment applications linked via the internet.
  • SAQ D: Applies to merchants that are not addressed in SAQ A-C

Request AOC Certification

What is PCI?

The PCI DSS (Payment Card Industry Data Security Standard) council was created by the five major networks (Visa, MasterCard, Discover, JCB, and American Express) with the objective to secure cardholder data.  PCI DSS standards ensure that all providers, merchants, platforms, and processors continually secure card and cardholder data commensurate with their size, processes, and providers.  Anyone that stores, processes, or transmits cardholder data is bound by the PCI DSS standards.

The PCI DSS Council has a knowledge base of resources to help determine where you fit in the payment ecosystem and what is required for your business type.  Revolv3 also has internal resources to help you through this process, maintain compliance, or if you are required to have an annual audit, recommend providers.

Revolv3 is PCI Level 1

Revolv3 maintains the highest level of PCI compliance commonly referred to as PCI Level 1.  This level of compliance requires ongoing scans and penetration testing along with an annual audit and on-site visit performed by a QSA (Qualified Security Assessor).  Our most recent audit is available in the AOC on this page or through the AOC link.  

Merchants or platforms using Revolv3 can access our latest AOC on this page that can be used to prove PCI compliant providers for your own audit.    

On March 31st, 2022 Version 4 of the PCI DSS requirements were published.  If you are currently integrated to version (3.2.1), your integration is valid until March 2024, but it’s recommend you begin the work to reach level 4 compliance.  

  • Website refers to Revolv3, Inc., accessible from http://www.revolv3.com.
  • You means the individual accessing or using the Service, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable.
    Under GDPR (General Data Protection Regulation), You can be referred to as the Data Subject or as the User as you are the individual using the Service.

What level of PCI is right for you?

There are a number of factors that determine a merchant’s required PCI scope, but generally this is graded on the number of transactions processed annually.

  • Level 1:  Merchants that process over 6 million card transactions annually.
  • Level 2:  Merchants that process between 1 and 6 million transactions annually.
  • Level 3:  Merchants that process 20,000 to 1 million transactions annually.
  • Level 4:  Merchants that process fewer than 20,000 transactions annually.

While Level 1 Merchants provide their AOC, merchants outside Level 1 will complete an SAQ annually to attest their compliance.

SAQ Alphabet Soup (Card Not Present only)

  • SAQ A: Applies to Card Not Present merchants that outsource all card processing to PCI compliant vendors.
  • SAQ A-EP: Applies to Card Not Present merchants who’s websites is managed in-house but the card processing is outsourced to PCI compliant vendors.
  • SAQ B: Applies to Card Not Present merchants that control how card data is directed to payment processors but never receive the data themselves.
  • SAQ C-VT: Applies to merchants that process card data in a web-based virtual terminal.  This data would be entered to the virtual terminal manually.
  • SAQ C: Applies to merchants that don’t store cardholder data but have payment applications linked via the internet.
  • SAQ D: Applies to merchants that are not addressed in SAQ A-C

The Visa Global Registry of Service Providers

Get full access to our platform to see how easy it is to configure and manage payments that are optimized for First Pass Approvals

Schedule a demo
arrow-right
Revolv3 - Map