This article covers the basics of PCI compliance, why it matters, and what responsibilities both merchants and service providers, including CivicPlus, have in keeping cardholder data secure. For purposes of this article, the term “Merchant” shall refer to the CivicPlus customer using the CivicPlus Platform to accept and process payments through the embedded Payment Processor.
What is PCI Compliance?
The PCI DSS is a set of requirements created to ensure that any entity handling credit card data maintains a secure environment. Any organization that accepts, stores, processes, or transmits cardholder data must comply with PCI DSS and is responsible for validating compliance using a SAQ or Qualified Security Assessor (QSA). All entities that accept card payments must meet applicable PCI requirements, which can vary depending on the solutions they use (for example, if payments are processed online through CivicPlus). All entities that accept card payments must meet applicable PCI requirements, which can vary depending on the solutions they use (for example, if payments are processed online through CivicPlus).
Why PCI Compliance Matters
Protects cardholder data from theft or misuse.
Reduces the risk of financial penalties, reputational harm, and costly data breaches.
Required by the card networks (such as Visa or Mastercard) for all businesses accepting payments.
Maintaining overall PCI compliance is a shared responsibility between CivicPlus, the embedded Payment Processor, and the Merchant.
Merchant Responsibilities
Maintain secure systems and networks.
Ensure any vendors, payment gateways, or software partners also meet PCI requirements.
Complete the appropriate SAQ or undergo a formal PCI assessment depending on transaction volume and risk profile.
Each Merchant is independently responsible for ensuring that its own systems, vendors, and operations comply with PCI DSS, as well as the Payment Processor’s Processing Terms and Conditions. Based on the Merchant’s transaction volume, CivicPlus may require proof of compliance. Please see the PCI Security Standards Council resources for merchants.
CivicPlus Responsibilities
CivicPlus validates PCI DSS Compliance annually for its payment environment. A copy of our AOC can be provided upon request as well as a shared responsibility matrix to assist you in completing your SAQ. To request these materials, please complete the following steps:
You can request a copy of the AOC or Shared Responsibility Matrix at any time by submitting a support ticket.
Include CivicPlus Payments as the product you need the AOC or Shared Responsibility Matrix for
Include the first name, last name, and email address of whom the AOC or Shared Responsibility Matrix should be sent to
CivicPlus maintains PCI DSS-compliant controls for its payment environment and the system components that facilitate integration with the embedded Payment Processor. CivicPlus does not process, transmit, or store cardholder data. CivicPlus’ PCI validation applies only to the system components and applications it controls and does not extend to Merchant systems or third-party integrations.
External Processing Partners Responsibilities
If you’re using an external processor, please reach out to them for more information on PCI Compliance. Here are links to our partner processors:
Disclaimer
This information is provided for general educational purposes only and does not constitute legal, regulatory, or security advice. Merchants should consult their Qualified Security Assessor (QSA), legal counsel, or the PCI Security Standards Council for specific compliance guidance.