COMPLIANCE
Orchestra is Level 1 PCI Compliant
Why Maintain PCI Compliance?
According to the PCI Council, an independent body created by the card networks in 2006, any business that accepts credit card payments and transmits, processes and/or stores the related data must follow the PCI standard.
The PCI standard refers to a set of 12 security standards that involve requirements such as encryption of cardholder data, managing firewalls, updating antivirus software, and assigning unique IDs to each person with computer access, among other things.
Is PCI compliance a law?
The short answer is no, it is not a law. However, while PCI compliance is not a law – it’s usually part of your contractual agreement with your partners/processors. If you decide not to be PCI compliant, and your system gets compromised and you lose cardholder data, you’ll likely be liable for the cost of a forensic investigation from an external supplier, and have to pay a fine for the lost cards, and your bank will probably require you to actually become compliant (with monthly penalties until you do).
Think of PCI compliance as mostly a form of insurance to protect you in the event that your cards are stolen. You can save money by not having it, but you might end up with a very expensive bill if things go wrong. So treat it like any other risk and weigh up the cost of compliance vs. the potential costs of a breach.
And if you decide not to be compliant, then you need to make damn sure that you don’t end up losing cardholder data. One way to achieve this is by outsourcing to Orchestra.
Read more with our Ultimate Guide to PCI Compliance
Why Outsource to Orchestra?
There are several reasons why it is beneficial for you to outsource your PCI compliance to Orchestra:
Relying on Experts
The team at Orchestra has decades of experience in the PCI compliance industry. Our team knows the ins and outs of compliance, what can and cannot be done, and has developed all the functions that a business would need to outsource their PCI compliance and still have access to perform all necessary actions on the cards.
Mitigating Cost and Risk
Becoming and maintaining PCI compliance on your own is very expensive and involves a lot of risk, especially if you have to store a lot of your customers’ cards. By outsourcing to Orchestra, you eliminate the risk (you are not storing the card details yourself anymore) and reduce your fees by utilizing a simple SaaS service.
Maintaining Compliance is a Breeze
PCI compliance is based on usage volumes. The more cards you process each month, the higher the level of PCI compliance you need to comply with. Naturally, the higher the level, the more complex and stringent the requirements become.
Additionally, PCI compliance evolves over time—in 2016, the PCI council updated the standard from 3.1 to 3.2. In May 2018, they released an updated version 3.2.1, and in March 2022, they released version 4, which introduced 64 new requirements that organizations need to comply with if applicable to their environments.
Orchestra is PCI compliant level 1—the highest level possible. By outsourcing to PCI Booking and utilizing our services, your company will become PCI-compliant level 1 overnight.
Orchestra maintains compliance according to the latest version of the standard. As of December 2023 (a full year and a half before it was required to do so), Orchestra is PCI version 4 compliant. When outsourcing and utilizing our services, your company becomes PCI version 4 compliant overnight.
If, or should it be said when, the PCI standard is updated, you can rest assured that Orchestra will update its systems to match, with little or no involvement from you.
Attesting for PCI Compliance
Compliance Statement of Orchestra
Companies that are PCI compliant receive an Attestation Of Compliance (AOC) from the Qualified Security Assessor (QSA) that performed the PCI audit on their business. Please contact our team to request a copy of our most recent AOC (keep in mind, there is a new AOC issued each year, usually around December).
Additionally, you can view our PCI certification here:
What About Me?
Orchestra is not a security assessor and does not scan or audit your system. Additionally, there is nothing to scan for as, if you outsourced your credit card handling to Orchestra, then your system does not handle the cards in the first place.
You are PCI compliant by signing off on the Self Assessment Questionnaire D for service providers (SAQ-D) where you indicate that you have outsourced your credit card processing and handling to Orchestra. This document, along with the AOC of PCI Booking is sufficient documentation to show that you are PCI compliant.
For more information, and to receive a copy of our whitepaper on SAQ-D for Service Providers, please contact our team.
Where can I find more information?
The PCI guidelines and their interpretations are constantly evolving. We regularly blog about PCI developments so check back regularly, here are some relevant posts.
For additional information, including copies of the PCI guidelines, explanatory background materials and general instructions and guidelines, please visit the PCI Security Standards Council’s Documents Library.
Orchestra Solutions offers a robust, JavaScript-based payments library designed for seamless payment integrations.
