PCI Compliance for Level 3 Vendor, Under $20 Million

I researched in the beginning of 2009 that I needed to get PCI compliance testing done. But, I never have.

As a side story, I tasked my engineering team to take care of it and that spoke to one vendor who talked us into a whole comarketing thing in which they guaranteed our site and put their bug all over it guaranteeing that it would improve our conversion rate. It didn't improve the rate at all. They made some changes. No improvement. We insisted on getting our money back. Eventually we did but only after a huge investment of time and energy. We were so turned off by the experience that we haven't looked at PCI compliance since then.

But, as a level 3 vendor, under $20 Million in revenue, and I never get the credit cards here (they go right to my vendor), what is my responsibility for PCI compliance? Can anyone point me towards the rules on this?

 

your vendor should have a 9 point sheet for you. If you call them thats the best way. If you dont have recurring payments or onsite cc info and do ccv you should be good. Make them do the work. Thats what you are paying them for ;')

 

Can you explain the relationship with your vendor, and or how you accept cards? Do you control any of the equipment, networks, systems, physical locations, etc. where card holder data would cross at any time?