PCI v4.0 Responsibility Matrix
- Vincent Josset
PCI Compliance
Introduction
PCI is a set of 12 security standards that businesses must use when accepting credit card payments and transmitting, processing, and storing the related data. It involves technical requirements (such as encryption of cardholder data, managing firewalls, updating antivirus software, and assigning unique IDs to each person with computer access) as well as internal procedure and protocol requirements.
As a merchant receiving credit card payments from your customers, your business must meet these PCI requirements. Part of these requirements is ensuring that your service providers, including Softrip, meet those same requirements where applicable. This applies to both Softrip-hosted clients and self-hosted clients.
Softrip recommends that clients going through PCI compliance efforts consult with their Softrip contact to help in answering relevant questions.
For Self-Hosted clients, see also Softrip technical documentation and recommendations here:
Technical Guides
Attestation of Compliance
See Softrip’s PCI Attestation of Compliance:
Responsibility Matrix
Softrip-Hosted Clients
As a Softrip-hosted client, you will most likely need to fill out PCI DSS SAQ-A.
Requirement | Responsibility | Notes |
2.2.2 | Softrip, Client | Softrip for hosting servers and workstations; |
3.1.1 | Client |
|
3.2.1 | Client |
|
6.3.1 | Softrip, Client | Softrip for hosting servers and workstations; |
6.3.3 | Softrip, Client | Softrip for hosting servers and workstations; |
6.4.3 | Softrip | If Client hosts their own payment pages, they are responsible for the security of the web server and scripts. |
8.2.1 | Softrip, Client | Softrip for own staff user accounts; Client for own staff user accounts |
8.2.2 | Softrip, Client | Softrip for own staff user accounts; Client for own staff user accounts |
8.2.5 | Softrip, Client | Softrip for own staff user accounts; Client for own staff user accounts |
8.3.1 | Client |
|
8.3.5 | Client |
|
8.3.6 | Client |
|
8.3.7 | Client |
|
8.3.9 | Client |
|
9.4.1 | Client |
|
9.4.2 | Client |
|
9.4.3 | Client |
|
9.4.4 | Client |
|
9.4.6 | Client |
|
11.3.2 | Softrip, Client | Softrip performs penetration tests every quarter on a representative instance. Client is responsible for performing penetration tests on their Softrip instance. |
11.3.2.1 | Softrip, Client | Softrip performs penetration tests every quarter on a representative instance. Client is responsible for performing penetration tests on their Softrip instance. |
11.6.1 | Softrip |
|
12.8.1 | Client |
|
12.8.2 | Client |
|
12.8.3 | Client |
|
12.8.4 | Client |
|
12.8.5 | Client |
|
12.10.1 | Client |
|
Self-Hosted Clients
As a Self-hosted client, you will most likely need to fill out PCI DSS SAQ-D for Merchants.
Requirement | Responsibility |
1.1 | Client |
1.2 | Client |
1.3 | Client |
1.4 | Client |
1.5 | Client |
2.1 | Client |
2.2 | Client |
2.3 | Client |
2.4 | Client |
3.1 | Client |
3.2 | Client |
3.3 | Client |
3.4 | Client |
3.5 | Client |
3.6 | Client |
3.7 | Client |
4.1 | Client |
4.2 | Client |
4.3 | Client |
5.1 | Client |
5.2 | Client |
5.3 | Client |
5.4 | Client |
6.1 | Client |
6.2 | Client |
6.3 | Client |
6.4 | Client |
6.5 | Client |
6.6 | Client |
6.7 | Client |
7.1 | Client |
7.2 | Client |
7.3 | Client |
8.1 | Client |
8.2 | Client |
8.3 | Client |
8.4 | Client |
8.5 | Client |
8.6 | Client |
8.7 | Client |
8.8 | Client |
9.1 | Client |
9.2 | Client |
9.3 | Client |
9.4 | Client |
9.5 | Client |
9.6 | Client |
9.7 | Client |
9.8 | Client |
9.9 | Client |
9.10 | Client |
10.1 | Client |
10.2 | Client |
10.3 | Client |
10.4 | Client |
10.5 | Client |
10.6 | Client |
10.7 | Client |
10.8 | N/A |
10.9 | Client |
11.1 | Client |
11.2 | Client |
11.3 | Client |
11.4 | Client |
11.5 | Client |
11.6 | Client |
12.1 | Client |
12.2 | Client |
12.3 | Client |
12.4 | Client |
12.5 | Client |
12.6 | Client |
12.7 | Client |
12.8 | Client |
12.9 | N/A |
12.10 | Client |
12.11 | Client |
A2.1 | Client |
A2.2 | Client |
A2.3 | Client |