As a registered Payment Facilitator, your responsibilities for maintaining ongoing compliance with PCI DSS are not limited to your own Service Provider validation. The acquirer and payment processor will enforce the Payment Facilitator’s requirements to annually validate the PCI compliance of its Merchants. On the contrary to the PCI Service Provider validation, Merchants may simply validate PCI compliance by completing the respective Self-Assessment Questionnaire (SAQ), per the below guidance, and submitting the completed document to the PayFac for review.
Please Note - It is the PayFac’s responsibility to document receipt and review of its Merchants’ completed PCI SAQ documents on an annual basis. These documents will be requested by the payment card brands during their annual audits of the PayFac’s acquiring bank and/or third-party payment processor. Merchants accepting E-commerce transactions should determine the appropriate SAQ document to complete based on the flow of cardholder data (CHD).