Skip to content
English
Go to clouddepot.com
  • There are no suggestions because the search field is empty.

PCI Shared Responsibility Model

Understand the PCI Shared Responsibility Model: How Cloud Depot, our payment partners, and your business work together to ensure total payment security and compliance.

The PCI Shared Responsibility Model

PCI DSS (Payment Card Industry Data Security Standard) compliance is not a "plug-and-play" solution. Because security is only as strong as the weakest link, compliance is shared between Cloud Depot (the Service Provider), our Payment Gateways (the Processors), and You (the Merchant/Customer).

1. Our Responsibility (Cloud Depot)

As a PCI Level 2 SAQ-D Service Provider, Cloud Depot is responsible for the "secure middle-ware." Our duties include:

  • Secure Transmission: Ensuring all data sent between your systems and the payment gateways is encrypted via TLS 1.2+.

  • Tokenization Management: Ensuring that raw credit card data is never stored on our local servers and is instead exchanged for secure "tokens."

  • Infrastructure Hardening: Maintaining a secure network environment, performing monthly vulnerability scans (via Qualys), and completing quarterly attestations of compliance.

  • Vetted Integrations: Only allowing integrations with PCI Level 1 certified payment processors.

2. The Gateway's Responsibility (WorldPay, GoCardless, Stripe, etc.)

Your chosen payment gateway sits at the highest level of compliance (Level 1). Their responsibilities include:

  • Data Vaulting: Securely storing the actual credit card numbers and CVV codes in high-security data vaults.

  • Transaction Processing: Clearing the funds with the acquiring banks.

  • Fraud Detection: Providing tools to identify and block suspicious payment attempts.

3. Your Responsibility (The Customer)

Even though Cloud Depot does the "heavy lifting," you still have a responsibility to maintain security within your own business environment. This typically includes:

  • Access Control: Ensuring only authorized members of your staff have login access to your Cloud Depot and Accounting portals.

  • Secure Handling: Never writing down customer credit card numbers on paper or storing them in "Description" fields or "Internal Notes" within Autotask or Xero.

  • Network Security: Ensuring the computers your staff use to access Cloud Depot are free of malware and are updated with the latest security patches.

  • Compliance Reporting: Depending on your transaction volume, you may still be required to complete your own annual Self-Assessment Questionnaire (usually SAQ-A or SAQ-A-EP) for your bank.

Why the Shared Model Works

By dividing responsibilities, we significantly reduce your "Compliance Surface Area." Because Cloud Depot and your Gateway handle the most sensitive data-protection tasks, the requirements you have to meet to be "compliant" are much simpler than if you were trying to process cards directly on your own website.

Key Takeaway: We secure the pipes and the vault; you ensure that the people you give the keys to are trained and that your local workstations are secure.