The information provided in this article is for general informational purposes only and should not be construed as legal advice; for guidance specific to your situation, please consult a qualified professional.
What Is PCI?
PCI stands for Payment Card Industry. When people talk about "PCI" security, they are referring to PCI DSS – the Payment Card Industry Data Security Standard. The PCI DSS is a set of security rules created by the major credit card companies (e.g., Visa, Mastercard, American Express, Discover, etc.) to make sure that when businesses handle credit or debit cards they do so safely. The PCI DSS includes required practices such as using strong passwords, keeping computer systems secure, and making sure card numbers are never stored in unsafe ways.
I use Novi to manage my website and database. Do I still need to worry about PCI compliance?
Yes. Any business that accepts credit or debit card payments, whether online, offline, or managed by third parties, must ensure compliance with the PCI DSS. Your level of compliance, however, will vary depending on your card processing arrangements and volume of transactions annually.
Regardless of which payment processor you use (Novi Pay, Stripe, QuickBooks, etc.), as the merchant accepting credit card payments, your organization remains responsible for ensuring your association meets all PCI compliance requirements.
What are my PCI obligations?
Your association will likely be considered the “merchant” for PCI purposes. PCI recognizes four levels of PCI compliance as it relates to “merchants”:
Level 1: Merchants that process over 6 million card transactions annually.
Level 2: Merchants that process between 1 – 6 million card transactions annually.
Level 3: Merchants that process between 20,000 to 1 million card transactions annually.
Level 4: Merchants that process fewer than 20,000 card transactions annually. (Most Novi customers fall into this range.)
Level 1 merchants have the steepest compliance requirements, including having an independent assessment of their compliance performed by a qualified security assessor as well as independent scans of their network. Levels 2, 3, and 4, on the other hand, typically only require the merchant to complete an annual Self-Assessment Questionnaire (SAQ).
What type of SAQ should I complete?
The type of SAQ your association must complete depends on how you process cardholder data. For example, merchants that only process payments through an online website may be eligible for different SAQ types than merchants that accept cards in person or over the telephone. Similarly, merchants who outsource payment processing to a third party may qualify for shorter SAQs compared to those who store, transmit, or process card data themselves. In short, the method of card acceptance (e.g., online, in person, by phone, or a combination) drives which SAQ applies.
Note: You will need to complete an SAQ for each of your applicable scenarios below.
Your Payment Flow | Typical SAQ | When This Fits | Applicable to Novi? |
Online only but your page loads payment scripts or iFrames before redirecting. | SAQ A-EP | Your website helps build the payment page, so a few more controls apply. | This applies to all Novi hosted websites. |
Phone orders keyed into a third-party virtual terminal on a PC. | SAQ C-VT | Card data is typed, but only into the processor’s page. | If you allow your staff to receive credit card payments over the phone, this will apply. |
Stand-alone, IP-connected tap-to-pay terminals that encrypt data. | SAQ B-IP | Terminals talk directly to the processor. Your network never sees the card numbers. | This doesn’t apply to your Novi site or database, but may apply to your practices. |
Anything more complex (e.g., storing card numbers, integrated POS, etc). | SAQ D (Merchant) | This is the catch-all form that covers any scenario not listed above. For example, if you collect or store card information in a PDF or any type of document, this will apply. | This doesn’t apply to your Novi site or database, but may apply to your practices. |
What Should I Do Next?
Map every way you take cards: Ensure to capture web, events, phone, etc.
Determine Your SAQ Type: Based on your payment processing methods, identify the correct SAQ for your organization.
Complete the Relevant SAQ(s): Fill out the appropriate SAQ(s) to validate your PCI compliance. You can do this yourself or with the assistance of a vendor or professional.
Submit the SAQ if Required: Your bank, payment processor, or card brands may request your completed SAQ as proof of compliance.
Stay Informed: Regularly review updates to PCI DSS and your payment processor’s requirements to ensure ongoing compliance. You can learn more here.
Can Novi help me complete my SAQ?
Yes and no. Novi has a limited view into your association’s handling of credit card payments. We are not present in your office or at every event to determine if your staff is entering payment information directly into PCI compliant online forms or if you are collecting and storing credit card information outside of one of those systems. We’re also not privy to any payment processors you may use outside of our system.
Because of this limited view, we tailor our support to technical questions you may have regarding our portion of your SAQ. We’re happy to answer any technical questions you may have about Novi's PCI Compliance and provide generalized help documentation such as this article. If you have questions about your organization’s overall PCI compliance, we suggest you talk with a qualified security assessor or your attorney.
Additional Frequently Asked Questions
Is Novi PCI compliant?
Yes. Novi does not process any payments directly. Instead, it connects your organization to your chosen payment processor (such as Novi Pay powered by Stripe or QuickBooks Payments). All connections between Novi and these payment processors are fully PCI compliant. This means that Novi never stores your members’ credit card data on its servers. When a payment is processed, Novi immediately transmits the card details to the payment processor, which then tokenizes (encrypts) the information and returns a secure token to Novi for future identification of the card. This process ensures that sensitive cardholder data is never at risk on Novi’s systems.
However, Novi being PCI Compliant does not automatically make your organization PCI compliant. As the merchant accepting credit card payments, your organization remains responsible for ensuring your association meets all PCI compliance requirements.
Are my payment processors PCI compliant?
Yes. Both Stripe and QuickBooks are Level 1 compliant. Under the hood, Novi Pay utilizes Stripe as the payment processor.
I receive emails from QuickBooks about Security Metrics – do I need it?
No. If you use QuickBooks to process credit or debit card payments, you may receive emails from QuickBooks about PCI compliance and a company called Security Metrics. Security Metrics is a third-party company that offers services to help organizations meet their PCI compliance requirements. QuickBooks does not require you to use Security Metrics. Instead, QuickBooks asks you to validate your PCI compliance and simply suggests Security Metrics as one option to help with this process.