PCI Compliance Position Statement

Overview

Socotra does not currently maintain an independent PCI-DSS certification or compliance validation. Customers are solely responsible for ensuring their entire operational environment, including all third-party services and integrations, meets their PCI compliance requirements.

Customer Responsibility

Compliance Validation

  • Primary Responsibility: Customers must validate their complete operational ecosystem for PCI compliance, including their use of Socotra services

  • Audit Requirements: Customers are responsible for including Socotra as part of their overall PCI compliance audit and validation process

  • Third-Party Assessment: Any PCI compliance assertions must be made by the customer based on their comprehensive assessment of their entire environment

Socotra’s Position

Service Provision

  • Socotra provides technology services and infrastructure to support customer operations

  • Customers retain full control over their implementation, configuration, and operational practices

  • Security features and capabilities are made available to customers to support their compliance efforts

Compliance Assertions

  • No Independent Claims: Socotra does not make independent PCI-DSS compliance assertions

  • Customer-Driven Validation: All compliance determinations must be made by customers through their own assessment processes

  • Audit Participation: Socotra will cooperate with customer-led compliance audits and assessments as needed

Documentation and Support

Available Resources

  • Technical documentation regarding security features and implementation guidelines

  • Architectural information to support customer compliance assessments

  • Support for customer-initiated compliance review processes

Limitations

  • Socotra does not provide compliance consulting or certification services

  • Customers should engage qualified PCI compliance professionals for validation and certification

  • Implementation-specific compliance questions should be addressed through customer-led assessment processes

Key Principles

  1. Customer Ownership: Customers own their complete compliance posture and validation process

  2. Comprehensive Assessment: PCI compliance must be evaluated across the entire operational environment

  3. Professional Validation: Qualified compliance professionals should be engaged for certification processes

  4. Clear Boundaries: Socotra’s role is service provision, not compliance validation or certification


Note

This position statement is designed to provide clarity on PCI compliance responsibilities and should be reviewed with qualified legal and compliance professionals as part of your overall compliance strategy.