# PCI Compliance Position Statement Overview [#overview] Socotra does not currently maintain an independent PCI-DSS certification or compliance validation. Customers are solely responsible for ensuring their entire operational environment, including all third-party services and integrations, meets their PCI compliance requirements. Customer Responsibility [#customer-responsibility] Compliance Validation [#compliance-validation] * **Primary Responsibility**: Customers must validate their complete operational ecosystem for PCI compliance, including their use of Socotra services * **Audit Requirements**: Customers are responsible for including Socotra as part of their overall PCI compliance audit and validation process * **Third-Party Assessment**: Any PCI compliance assertions must be made by the customer based on their comprehensive assessment of their entire environment Socotra's Position [#socotras-position] Service Provision [#service-provision] * Socotra provides technology services and infrastructure to support customer operations * Customers retain full control over their implementation, configuration, and operational practices * Security features and capabilities are made available to customers to support their compliance efforts Compliance Assertions [#compliance-assertions] * **No Independent Claims**: Socotra does not make independent PCI-DSS compliance assertions * **Customer-Driven Validation**: All compliance determinations must be made by customers through their own assessment processes * **Audit Participation**: Socotra will cooperate with customer-led compliance audits and assessments as needed Documentation and Support [#documentation-and-support] Available Resources [#available-resources] * Technical documentation regarding security features and implementation guidelines * Architectural information to support customer compliance assessments * Support for customer-initiated compliance review processes Limitations [#limitations] * Socotra does not provide compliance consulting or certification services * Customers should engage qualified PCI compliance professionals for validation and certification * Implementation-specific compliance questions should be addressed through customer-led assessment processes Key Principles [#key-principles] 1. **Customer Ownership**: Customers own their complete compliance posture and validation process 2. **Comprehensive Assessment**: PCI compliance must be evaluated across the entire operational environment 3. **Professional Validation**: Qualified compliance professionals should be engaged for certification processes 4. **Clear Boundaries**: Socotra's role is service provision, not compliance validation or certification *** This position statement is designed to provide clarity on PCI compliance responsibilities and should be reviewed with qualified legal and compliance professionals as part of your overall compliance strategy.