Review These Guidelines
Will your solution capture, process, store, or transmit credit card data? If so, you are obligated to comply with one or more of the payment card industry security standards. The following guidelines will help you determine which standards apply and how you must demonstrate compliance. To determine your compliance obligation, simply review the statements below and place a checkmark next to each item that applies to your solution. If your solution will not enable acceptance of credit cards as a payment type, the payment card industry security standards do not apply and there is no need to complete this section.
Payment Application Data Security Standard (PA-DSS)
My solution will capture, process, store or transmit credit card data.
My solution will be sold or delivered to a customer as "off the shelf" without significant custom development for each customer.
If both statements apply to you then your solution must be validated as PA-DSS compliant by a Payment Application Qualified Security Assessor (PA-QSA) before it can be certified to transact with the Chase Paymentech Platform. Regardless of whether or not your solution requires PA-DSS validation, continue through the next set of questions to determine if you are required to be PCI-DSS compliant.
Payment Card Industry Data Security Standard (PCI DSS)
My solution will be offered as a service that I will host for my customers using their merchant accounts for transactions. Examples of such services could include virtual terminals, gateways, hosted shopping carts, hosted checkout pages, etc.
I plan to administer and manage a hosted (hosted by the customer or third party) instance of my solution on behalf of my customers.
Cardholder data will be transmitted through my solution as part of the capture, authorization or settlement process. If you selected this option, you are considered a PCI DSS Gateway Service Provider which automatically makes you a level 1 Service Provider. See below for more detail.
If any of the above statements apply to you then you are considered a Service Provider under the PCI DSS and you will be required to determine your Service Provider level which, in turn, determines your PCI DSS validation requirements.