PCI Compliance Position Statement
Overview
Socotra does not currently maintain an independent PCI-DSS certification or compliance validation. Customers are solely responsible for ensuring their entire operational environment, including all third-party services and integrations, meets their PCI compliance requirements.
Customer Responsibility
Compliance Validation
Primary Responsibility: Customers must validate their complete operational ecosystem for PCI compliance, including their use of Socotra services
Audit Requirements: Customers are responsible for including Socotra as part of their overall PCI compliance audit and validation process
Third-Party Assessment: Any PCI compliance assertions must be made by the customer based on their comprehensive assessment of their entire environment
Socotra’s Position
Service Provision
Socotra provides technology services and infrastructure to support customer operations
Customers retain full control over their implementation, configuration, and operational practices
Security features and capabilities are made available to customers to support their compliance efforts
Compliance Assertions
No Independent Claims: Socotra does not make independent PCI-DSS compliance assertions
Customer-Driven Validation: All compliance determinations must be made by customers through their own assessment processes
Audit Participation: Socotra will cooperate with customer-led compliance audits and assessments as needed
Documentation and Support
Available Resources
Technical documentation regarding security features and implementation guidelines
Architectural information to support customer compliance assessments
Support for customer-initiated compliance review processes
Limitations
Socotra does not provide compliance consulting or certification services
Customers should engage qualified PCI compliance professionals for validation and certification
Implementation-specific compliance questions should be addressed through customer-led assessment processes
Key Principles
Customer Ownership: Customers own their complete compliance posture and validation process
Comprehensive Assessment: PCI compliance must be evaluated across the entire operational environment
Professional Validation: Qualified compliance professionals should be engaged for certification processes
Clear Boundaries: Socotra’s role is service provision, not compliance validation or certification
Note
This position statement is designed to provide clarity on PCI compliance responsibilities and should be reviewed with qualified legal and compliance professionals as part of your overall compliance strategy.