PCI Compliance
      Back to home
      1. Help Center
      2. PCI Compliance

      Zift Merchant PCI Program

      What is PCI Compliance?

      Major credit card brands such as Visa, MasterCard, and American Express require all merchants that store, process, or transmit cardholder data to be Payment Card Industry Data Security Standard (PCI DSS) compliant. PCI DSS comprises a set of security standards designed to ensure that companies and merchants handling credit card information maintain a secure environment. To achieve compliance, Zift merchants must annually complete the appropriate Self-Assessment Questionnaire (SAQ).

      Typically, Zift merchants fall into one or more of the following SAQ categories:

      SAQ A

      This category applies to Zift merchants that have fully outsourced their card data processing to a validated third-party service or platform, with no electronic storage, processing, or transmission of cardholder data on the merchant’s systems or premises. For example, a Zift merchant that utilizes a third-party marketplace platform for processing through Zift falls under this category.

      SAQ A-EP

      This category is for Zift e-commerce merchants that outsource all payment processing to a third-party provider, but whose website can impact the security of the payment transaction. For instance, a Zift merchant that maintains their own website but offloads card processing to a third-party platform or service, or directly to Zift, would need to complete SAQ A-EP.

      SAQ B-IP

      This category covers Zift merchants using stand-alone IP-connected, PTS-approved payment terminals without electronic cardholder data storage. Any Zift merchant using a Zift-provided terminal falls into this category.

      Note: Merchants may find that more than one SAQ applies to their processing methods. For example, if a merchant uses a third-party platform or service to process all e-commerce transactions but also has a physical terminal for card-present processing, that merchant will need to complete both SAQ A-EP and SAQ B-IP.

      How Do I Become PCI Compliant?

      There are three methods for becoming PCI compliant:

      1. Enroll in Zift’s Merchant PCI Program

      Zift has developed a Merchant PCI program utilizing the Aperia platform to assist merchants in selecting and completing the appropriate Self-Assessment Questionnaire (SAQ). Starting in June 2024, this program will be available to all Zift merchants.

      2. Enroll with a Third-Party PCI Program

      Merchants can work with any Merchant PCI program vendor to receive assistance in selecting and completing their SAQ. The chosen platform may charge for these services.

      3. Directly Download and Complete the Appropriate SAQ

      Merchants can download and complete the appropriate SAQ directly from the PCI Security Standards Organization. The documents are available here.

      Note: We recommend option 1, as it considers how our merchants process transactions and assists in selecting and pre-filling the appropriate SAQ. Merchants who choose options 2 or 3 will still need to upload evidence of their compliance into the Zift Merchant PCI program portal used in option 1.

      Renewing your PCI Compliance

      Merchants renewing their PCI certification should evaluate their processing methods to determine if a different or additional SAQ type is needed. For example, if a merchant initially processes only e-commerce transactions but later begins to accept card-present transactions, they will need to add SAQ B-IP to their SAQ A-EP.

      When Do I Need to Be PCI Compliant?

      Zift merchants have 60 days from their approval or compliance anniversary date to achieve compliance using one of the methods listed above. If a merchant fails to achieve compliance they may be assessed PCI monthly non-compliance fees until compliance is achieved. Specific questions about PCI compliance or related fees should be directed to support@zift.io

       

      Additional Resources