Compliance

Industry & Regulatory Compliance

Tyler is committed to providing online security and maintaining compliance with both industry and regulatory standards.

The Payment Card Industry (PCI) Data Security Standards (DSS) is a global information security standard designed to prevent fraud through increased control of credit card data. Tyler Technologies completes an annual PCI DSS assessment using approved Quality Security Assessor (QSA).

Payment Card Industry Data Security Standard (PCI DSS) FAQs

What is PCI and how does it apply to my organization?

The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD). Most small organizations are eligible to fill out Self-Assessment Questionnaires (SAQs). These SAQs and other relevant documents can be found in the official PCI Document Library.

Since Tyler Technologies is compliant, is there anything that my organization needs to do to maintain its compliance?

Yes. A common misconception is that since a third-party servicer provides a PCI compliant service, the parent organization is automatically compliant with PCI data security standards. Though Tyler maintains PCI compliance for its payment applications, PCI applies to all entities involved in payment card processing. However, by using Tyler as a third-party service provider your organization greatly reduces the number of PCI requirements that your organization is subject to in relation to that specific part of your business.

Are organizations using third-party processors required to be PCI DSS Compliant?

Yes. Simply using a third-party processor does not mean that your organization is compliant. Using a third-party may cut down your risk exposure thus reducing the efforts needed to validate compliance against PCI standards.

Who do I need to submit my compliance documentation to?

There is a lot of misleading information available in regards to this question. The PCI Council does not require you to submit documentation directly to the council and leaves enforcing the PCI DSS standards up to the acquiring bank(s) and card brands. In short, any compliance documentation completed by your organization should be kept on-file and submitted to your organizations acquiring bank (or merchant account manager) as requested.

Where can I find PCI DSS documentation?

All PCI DSS documentation should be retrieved directly from the official PCI Security Standards Council website. The Document Library contains all relevant information and documentation to correctly asses what portion of the PCI Standard your organization is responsible for.

My organization has multiple locations, is each location required to validate its PCI compliance?

Typically your organization is only required to validate once annually for all business locations. There are some special circumstances that would require validation for all locations. For example, using a different credit card processor for each location.

My organization does not store credit card data so PCI compliance doesn't apply to us, right?

Accepting credit or debit cards at your business (or e-business) automatically makes you subject to PCI requirements. Since your organization does not store credit card data, your compliance requirements will likely be reduced.

What are the penalties for non-compliance?

Different payment brands (Visa, MasterCard, American Express, etc.) set fines on an acquiring bank at their discretion. Acquiring banks typically pass this fine along until it hits the merchant. In addition, the acquiring bank can increase transaction fees or terminate their relationship with your organization if it is found to be non-compliant. The payment brands can also restrict your ability to accept their brand of payment card as well.

What if my organization refuses to comply or cooperate with the PCI DSS standards?

PCI DSS is not a law, it is a data security standard created by the major card brands to help mitigate the risks in dealing with credit card data. Merchants that refuse to be compliant with PCI DSS standards may be subject to fines, data breach investigation costs, brand damage, or other costs that relate to investigation/prevention of further damage.

Can Tyler help me fill out my PCI compliance documents?

There are many moving pieces to PCI compliance. Tyler may be one of many third-party providers that your organization uses to accept payments. As one of potentially multiple third-party service providers to your organization we cannot readily assess or answer questions about your exact PCI requirements. We can offer our own PCI Attestation of Compliance (AoC) as evidence that Tyler maintains compliance with PCI DSS standards. In most cases, our AoC is all that you need to provide a PCI auditor to show them that your Tyler based applications are PCI DSS complaint.