What is PCI and how does it apply to my organization?
The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect payment account data. PCI DSS applies to all entities involved in payment card processing — including, but not limited to, merchants, processors, acquirers, issuers, and service providers. In short, PCI DSS applies to all entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD). Most small organizations are eligible to fill out Self-Assessment Questionnaires (SAQs). These SAQs and other relevant documents can be found in the official PCI Document Library.

Since Tyler Technologies is compliant, is there anything that my organization needs to do to maintain its compliance?
Yes. A common misconception is that since a third-party servicer provides a PCI compliant service, the organization that contracts with them is automatically compliant with PCI data security standards. Though Tyler maintains PCI compliance for its payment applications, PCI applies to all entities involved in payment card processing. However, by using Tyler as a third-party service provider your organization greatly reduces the number of PCI requirements your organization is subject to comply with in relation to that specific part of your business. This is due to the architecture of Tyler’s payment applications.

Are organizations using third-party processors required to be PCI DSS Compliant?
Yes. Simply using a third-party processor does not mean your organization is compliant. Using a third-party processor may reduce your risk exposure thus reducing the efforts required to validate compliance against PCI standards.

Who do I need to submit my compliance documentation to?
Merchants submit compliance documents to the payment processor also known as the acquirer. Each acquirer has their own compliance programs and they will inform a merchant when the documentation is needed. If you are configured as a sub-merchant in a payment facilitator model, you will submit your compliance documents to the primary merchant, which would be Tyler Technologies. Tyler will communicate to you pertinent information about the compliance process. The PCI Security Standards Council does not track merchant or service provider compliance with the PCI DSS standards so you will never submit compliance documents to them. In either case, all merchants or sub-merchants must follow the PCI compliance validation process even when not required to submit documentation. Contact your acquirer or payment facilitator for details on what is expected.

Where can I find PCI DSS documentation? 
All PCI DSS documentation should be retrieved directly from the official PCI Security Standards Council website. The Document Library, found under the “Resources” tab, contains all relevant information and documentation to perform an assessment of what compliance requirements are necessary for your organization.

My organization has multiple locations. Is each location required to validate its PCI compliance?
Compliance is directly tied to the payment flows for each acquirer and must cover all locations that use that acquier. Typically your organization is only required to validate once annually for all business locations. There are some special circumstances that would require additional validation for specific locations. For example, using different acquirers for that location.

My organization does not store credit card data so PCI compliance doesn't apply to us, right?
Accepting credit or debit cards in connection with your business (or e-business) automatically subjects you to PCI requirements. Since your organization does not store credit card data, your compliance requirements will be reduced, but not entirely eliminated.

What are the penalties for non-compliance?
Different payment brands (Visa, MasterCard, American Express, etc.) set fines and they communicate to the acquiring bank to impose fines on a specific merchant at their discretion. In addition to non-compliance fees, the acquirer or payment brand can increase transaction fees or terminate their relationship with your organization if the situation is determined to be egregious.

What if my organization refuses to comply or cooperate with the PCI DSS standards?
PCI DSS is not a law, but an industry standard created by the major card brands to help mitigate the risks in dealing with payment card data. Merchants that refuse or fail to comply with the PCI DSS may be subject to fines, data breach investigation costs, brand damage, or other costs that relate to investigation/prevention of further damage. More significantly, failure to be compliant with the PCI DSS may result in termination of your ability to continue processing payments.

Can Tyler help me complete my PCI compliance documents?
As a service provider, Tyler will provide you with information pertaining to the payment services you have subscribed to and the PCI DSS requirements we are fulfilling on your behalf. However, we cannot act as a PCI assessor who would review your entire environment and any other credit card acceptance processes you have with other service providers. Accordingly, we are limited in providing support to you in completing PCI compliance documents. There are many moving pieces to PCI compliance. Tyler may be one of many third-party providers your organization uses to accept payments. As one of potentially multiple third-party service providers to your organization we cannot readily assess or answer questions about your exact PCI requirements. We can offer our PCI Attestation of Compliance (AoC) as evidence that Tyler maintains compliance with the PCI DSS. In most cases, Tyler’s AoC is all you may need to demonstrate to a PCI assessor that the Tyler-based applications you use are PCI DSS complaint. Nonetheless you may still be required to submit a SAQ or respond to a payment facilitator assessment.