Some entities needing to attain PCI compliance may have to meet more than 300 security controls listed in the PCI DSS. If that sounds daunting, the PCI Council has 1,800+ pages of documentation relating to the PCI DSS, which equates to around three days of solid reading!
One way around spending goodness-knows-how-many worker hours reading, reading, reading is to employ the services of a payment gateway, an external e-commerce business that handles and authorises the processing of credit card payments.
However, a payment gateway doesn't relieve an entity of showing PCI compliance. What it does is greatly reduce the number of security controls from 300-odd to around 20. They do this by ensuring the credit card data processed by a business is handled off-site.
The payment gateway service is integrated into an entity's website and takes control of the credit card data the moment it is entered, so it never reaches a website's servers. This ensures that the website is removed from many of the PCI compliance security controls.
SecAlerts uses Stripe and their site has a page dedicated to PCI compliance and what Stripe can do to assist a business. This is usually via a Self-Assessment Questionnaire (SAQ) - there are several - that have been created by the PCI Council. In some cases, Stripe even fills in the details of the SAQ and it's a simple case of downloading the ready-to-use form.
So, in short ... yes, you still need to show PCI compliance if using a payment gateway, but the pain is greatly reduced.
