PCI DSS Compliance

Ease your PCI compliance burden by outsourcing your checkout.

The Short Version

We are proud to be fully PCI DSS compliant and registered with Visa's Global Registry of Service Providers and MasterCard's Compliant Service Provider List. We are certified by our security assessors as Level 1 Service Provider, which is the highest level of PCI compliance and certification. (If needed, here's our proof of compliance.)

The Long Version

If you've been looking at e-commerce or gateway solutions for more than a few minutes, odds are that you've seen references to PCI DSS. Unfortunately, there's significant FUD (Fear, Uncertainty, Doubt/Deception) being propagated about PCI so it's hard to get a clear handle on what it is and what it means to you. We've put together an easy to understand primer on PCI compliance that is probably your best bet at understanding more about PCI.

Why PCI Matters to You

Though many merchants refuse to acknowledge, PCI is something that all merchants with a merchant account must comply with. Though you may be able to ignore security for the life of your business with no ill consequences, we don't advise it, and if you do have a security breach it could cause serious financial problems, as well as tremendous customer ill-will.

So what to do? Luckily, if you use FoxyCart your compliance burden may decrease significantly, from hundreds of requirements to a handful. This isn't to say that FoxyCart is the only way to reduce your burden, but if FoxyCart doesn't meet your needs we strongly urge you to go with another hosted solution that will decrease your compliance burden. True PCI compliance can take thousands of man-hours and significant resources (trust us, we know), so it's better to outsource your risk than pretend PCI doesn't apply to you. Because if you're accepting credit cards online, it proably does.

Please see our beginner's guide to PCI compliance on our wiki. We're big on educating our users, so please let us know what you think of the guide.

Free eBook

Click here to download our free eBook PCI Compliance: The Skinny. The Mini. The FUD.

What PCI Is Not: Scanning

One of the biggest misconceptions about PCI (which, unfortunately, is promoted by unscrupulous or clueless merchant account providers and gateways) is that PCI compliance is simply a matter of paying a monthly or quarterly fee for scanning. Nothing could be further from the truth, and this tactic is an unfortunate side effect of PCI being both mandatory and poorly understood by the average merchant.

Though certain levels of PCI compliance do require security scans from an ASV, that is but one of 200+ requirements, and anybody claiming that you need to pay a fee to become compliant is likely mistaken. Paying a fee cannot make you compliant; adhering to the full PCI DSS is how you become compliant.

Please see our guide to easy PCI DSS compliance for more info. We work too hard on PCI compliance to sit back and let people trivialize PCI or miscommunicate it to the hard-working merchants that will be left holding the bag if they get breached.

PA-DSS?

PA-DSS is required for certain payment applications, but because FoxyCart is exclusively available as a hosted solution we fall under PCI-DSS and not PA-DSS.