💡 FIs that process card payments must validate PCI compliance within 90 days of being onboarded by our card processor by completing a self-assessment questionnaire (SAQ).

Overview

The Payment Card Industry Data Security Standard, also known as PCI-DSS (PCI) is the compliance and security standard created by the Payment Card Industry Security Standards Council (PCI-SSC) that aims to protect cardholder data from theft and reduce instances of credit card fraud. Cardholder data is defined as the Primary Account Number (PAN) alongside any of the following:

• Cardholder name

• Expiration date

• Service code (ex: PINs, CVVs, and etc.)

The PCI-SCC was formed by the leading card brand networks: Visa, MasterCard, Discover, American Express, and JCB International. These card brand networks banded together to create a standard baseline level of protection for buyers and businesses with PCI-DSS.

Note: PCI compliance does not apply to transactions processed through the ACH (Automated Clearing House) network.

Annual PCI Check and Validation

All businesses that store, process, and/or transmit cardholder data are required to complete a form within 90 days of onboarding and then annually thereafter.

How Glide Makes PCI Compliance Easy

Glide's card process, Finix is a Level 1 PCI-DSS certified service provider, which is the strictest and highest attainable level of PCI compliance. This significantly reduces an FI's PCI Compliance requirements.

Your FI simply needs to complete a Self-Assessment Questionnaire (SAQ) to acknowledge the standards. Completing the SAQ does not require your credit union to achieve PCI Level 1 compliance. Since our credit unions (“merchants”) do not store, process, or transmit cardholder data—all such functions are outsourced—this is a quick and straightforward acknowledgment.

The SAQ on the card dashboard specifically addresses the e-commerce use case (account opening via Glide) and should be completed with respect to the Glide platform.

We simplify this SAQ process by pre-filling the entire form, allowing you to complete it with just a few clicks from the card processor dashboard. The form becomes available for signing after your card processing approval.

FAQ

Could you clarify if Glide should be the one completing this PCI document or the FI?

The FI as the merchant is responsible for completing the document. Under PCI DSS rules, a merchant is defined as any entity that accepts payment cards. Even if the FI uses Glide’s system and Finix’s processing, the FI is the "Merchant of Record" because the funds ultimately flow to FI. The merchant is responsible for ensuring they have outsourced their processing to compliant partners.

Why are sections of the PCI document prefilled by Glide? Do we leave as is?

Finix pre-fills these forms based on their technical integration with Glide to ensure the answers match the actual data flow, helping the merchant avoid "wrong" answers that could trigger a higher level of audit.

Does the form apply to physical card accepting terminals?

Since, this is an SAQ A (E-commerce only), physical terminals are not in scope. You can typically list the main business address or note "N/A - E-commerce only" if there are no physical swipe machines involved in this specific flow.

What is a Payment Application?

A Payment Application is specifically defined by the PCI Security Standards Council as a third-party software package that is sold, distributed, or licensed to third parties for the purpose of storing, processing, or transmitting cardholder data. The FI uses Finix’s pre-built hosted forms or iFrames provided through Glide. Because these are outsourced services and not a software application installed on FI's local servers or managed by FI staff, they do not count as a "Payment Application" for the merchant's own assessment.