PCI Compliance
This section covers the Payment Card Industry Data Security Standard compliance and your responsibilities as a third-party developer.
What is PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that all companies that process, store, or transmit credit card information maintain a secure environment. For an in-depth guide to what PCI DSS is, how to achieve it for your business, and a compliance checklist, see Everything You Need to Know About Achieving PCI Compliance (opens in a new tab).
Who is responsible
BigCommerce is a PCI DSS compliant service provider and validates annually all requirements (1-12) (opens in a new tab) including as a shared hosting provider. BigCommerce's PCI DSS Attestation of Compliance (AOC) (opens in a new tab) describes the technology stack certified annually.
Merchants can use BigCommerce's PCI DSS AOC to satisfy the compliance requirements for the part that outlines its responsibilities. To learn more about showing proof of compliance, see Showing Compliance (opens in a new tab).
If your application handles credit card data, you will need to be PCI compliant. Submit self-assessment questionnaires (SAQs) to compliance@bigcommerce.com.
BigCommerce is responsible for maintaining secure handling of credit cards while the payment is en route from payment request to payment processors. Merchants, service providers, and other entities involved with payment card processing must never store sensitive authentication data after authorization. This includes the 3- or 4- digit security code printed on the front or back of a card, the data stored on a card's magnetic stripe or chip (also called “Full Track Data”) – and personal identification numbers (PIN) entered by the cardholder. As a third-party developer, it is your responsibility to program the storefronts and recurring billing apps in a PCI-compliant manner. If development affects the flow of sensitive credit card data, you will need to maintain a PCI compliance certification for third-party service providers certified by an external Qualified Security Assessor (QSA).
For information on processing payments, see PCI compliance (Payments API). For general information, including a detailed table of compliance responsibilities, see our article in the Help Center (opens in a new tab).
The way your business consumes the SDKs (either BigCommerce as a storefront and backend or BigCommerce as a backend ) determines BigCommerce's responsibilities; It is possible to use one more of BigCommerce's technology stack at the same time. Your PCI DSS compliance responsibilities will be a combination of each stack consumed.
Resources
- Maintaining Payment Security (opens in a new tab)
- Merchants Classification Levels Visa (opens in a new tab)
- Merchants Classification Levels Mastercard (opens in a new tab)
- Payments API
- Self Assessment Questionnaire (SAQ) Types and Identifying which SAQ is for you (opens in a new tab)