PCI-DSS requirements

If you are integrating card services with Toqio, compliance with the Payment Card Industry Data Security Standard (PCI-DSS) is mandatory.

Demonstrating PCI-DSS Compliance

Integrators must demonstrate compliance with PCI-DSS through one of the following assessment levels:

1. Self-Assessment performed internally by the integrator without a formal certificate.
2. Self-Assessment conducted by an external entity, accompanied by a formal certificate of compliance.
3. Official PCI-DSS Assessment conducted by a certified PCI-DSS authority, resulting in an official Attestation of Compliance (AoC).

Compliance Scope

As an integrator, you must meet all applicable PCI-DSS standard requirements based on your handling of Cardholder Data:

• Data in Transit and at Rest: If you handle cardholder data both in transit and at rest, you must adhere to all PCI-DSS requirements, including specific criteria related to data storage and transmission.

• Data in Transit Only: If you handle cardholder data solely in transit (without storing cardholder data in your systems), you must comply with all PCI-DSS requirements except those specifically related to data at rest.

Official Documentation and Resources

For official PCI-DSS documentation, self-assessment questionnaires (SAQs), and additional resources, visit:

• PCI Security Standards Council Documentation Library

Security Audits

Integrators must agree to security audits performed by Toqio under mutually agreed-upon conditions to ensure ongoing compliance.

Annual Risk Assessment

As part of PCI-DSS compliance requirements, integrators must conduct a formal annual risk assessment covering the scope of PCI-DSS. Toqio will request this assessment from you each year as part of ongoing compliance verification.