Compliance FAQs

What is PCI compliance?

The Payment Card Industry (PCI) Data Security Standard (DSS) was established in 2006 by the major card companies (Visa, Mastercard, American Express, Discover Financial Services, JCB International). All businesses that process, store, or transmit payment card data are required to implement the standard. The goal of PCI compliance is to protect commerce. As you reach compliance with the standard you are armed with a secure foundation to avoid a devastating attack from criminals, which may result in costs associated with loss of business, forensic investigations, credit monitoring, and post-breach audit and security updates.

To learn more about PCI compliance requirements, visit the SecurityMetrics PCI Learning Center.

How do I become PCI compliant?

Anyone who accepts credit card payments must comply with PCI DSS rules. All BlueSnap merchants are required to complete a SAQ (Self-Assessment Questionnaire) to comply with PCI 3.0 regulations.

  • Merchants using our Hosted Payment Fields or our BuyNow pages only need to complete SAQ-A, which is a short and simple questionnaire.
  • Merchants using client-side encryption are required to complete a longer SAQ-A-EP questionnaire.
  • Merchants using the API are evaluated based on their specific configuration.
  • Merchants using our Virtual Terminal must complete SAQ-C-VT.

These forms need to be updated yearly.

Note: If you fill out the SAQ-D form, you are covered for all other SAQ levels.

To get started today, call SecurityMetrics at (800) 557-4797 or enroll now at

How do BlueSnap solutions support PCI compliance?

The SAQ level you need to complete to meet PCI compliance requirements is determined by the BlueSnap solution you select. Refer to this page for more details.

My business is HIPAA compliant – can I use BlueSnap for payment processing?

BlueSnap processes payment transactions through multiple methods, such as credit card, direct debit, or bank transfer. The Department of Health and Human Services has concluded that payment processing activities are considered an exception to the business associate standard under the HIPAA Privacy Rule. Therefore, when providing payment processing activities, BlueSnap is exempt from HIPAA compliance requirements as a business associate.

How does the Wayfair ruling (regarding online sales tax) affect my business?

In June 2018, the U.S. Supreme Court ruled in favor of the state in South Dakota v. Wayfair, Inc. The broad result of this decision is that other states are allowed to tax remote sales. Prior to the ruling, states could only tax sales by businesses that had a physical presence in the state. Now, the economic nexus (economic activity in a state) can result in a sales tax obligation. The economic nexus is based only on sales revenue, transaction volume, or a combination of both.

How is BlueSnap addressing the impacts of the Wayfair ruling?

The impact of the ruling on your business depends on a variety of factors such as the sales revenue, transaction volume, and the state where your sales occur. In addition to the specific state tax laws, the model under which you operate within BlueSnap also has an impact.

Most BlueSnap customers are responsible for collecting taxes themselves. For guidance, please contact a tax specialist. If you are using BlueSnap Merchant of Record (Reseller) model, BlueSnap will be collecting tax on your behalf.

For additional background information, you can refer to this information.

Back to Top