PCI DSS Requirement 12.9: Service Provider Acknowledgement to Customer
Background: CRB Cunninghams (the "Service Provider") has, in conjunction with payment provider(s), developed the applications known as iPayimpact. The Service Provider has agreed, on the terms of the subcontract(s) between the Service Provider and the Customer (the "Subcontract"), to make iPayimpact available for use by the Customer.
Scope: Use by the Customer of iPayimpact may involve the transmission of cardholder data on behalf of the Customer. The scope of this transmission is limited to iPayimpact transmitting cardholder data to the payment provider(s) (the party responsible for processing the cardholder data). This scope has been confirmed by an independent Qualified Security Assessor ("QSA") appointed by the Service Provider to assess its compliance with Payment Card Industry Data Security Standards ("PCI DSS") in relation to iPayimpact.
Acknowledgements: The Service Provider acknowledges to the Customer that, as between the Service Provider and the Customer, the Service Provider is responsible for the security of cardholder data it transmits on behalf of the Customer in relation to iPayimpact. The Service Provider further acknowledges that, as between the Service Provider and the Customer, the Service Provider is responsible for managing the security and configuration of iPayimpact.
PCI DSS Compliance: The Service Provider has achieved and is maintaining compliance with PCI DSS applicable to the scope of transmission of cardholder data described in paragraph 2 above. The Service Provider has taken various steps to ensure the security and configuration of iPayimpact, including: (i) engaging an external security consultant to provide PCI DSS advice and periodic penetration testing; (ii) appointing the QSA to audit the Service Provider's PCI DSS compliance.
You can find more information on what PCI DSS is on the PCI Security Standards Website.