Do You Need to be PCI Compliant if Using a Payment Gateway?

Some entities needing to attain PCI compliance may have to meet more than 300 security controls listed in the PCI DSS. If that sounds daunting, the PCI Council has 1,800+ pages of documentation relating to the PCI DSS, which equates to around three days of solid reading!

One way around spending goodness-knows-how-many worker hours reading, reading, reading is to employ the services of a payment gateway, an external e-commerce business that handles and authorises the processing of credit card payments.

However, a payment gateway doesn't relieve an entity of showing PCI compliance. What it does is greatly reduce the number of security controls from 300-odd to around 20. They do this by ensuring the credit card data processed by a business is handled off-site.

The payment gateway service is integrated into an entity's website and takes control of the credit card data the moment it is entered, so it never reaches a website's servers. This ensures that the website is removed from many of the PCI compliance security controls.

SecAlerts uses Stripe and their site has a page dedicated to PCI compliance and what Stripe can do to assist a business. This is usually via a Self-Assessment Questionnaire (SAQ) - there are several - that have been created by the PCI Council. In some cases, Stripe even fills in the details of the SAQ and it's a simple case of downloading the ready-to-use form.

So, in short ... yes, you still need to show PCI compliance if using a payment gateway, but the pain is greatly reduced.