Describe how long your organization has conducted business in this area.
Explanation
Track record is what reviewers want to gauge: how long your organization has operated in handling payment card data and the related security compliance. The PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements for organizations that handle credit card information.
The question aims to assess your organization's maturity and experience in dealing with payment card processing and the associated security requirements. Organizations with longer experience in this area are often presumed to have more established processes, better understanding of the risks, and more mature security controls.
When answering this question, you should:
- Specify the exact number of years your organization has been handling payment card data
- Describe in what capacity you've been processing payments (e.g., as a merchant, service provider, payment processor)
- Mention any relevant milestones in your PCI compliance journey
- Include information about the volume or scale of payment processing if significant
This question helps the assessor understand your organization's experience level with PCI compliance requirements and payment card handling, which can indicate your likely familiarity with security best practices in this domain.
Guidance
Include the number of years and in what capacity.
Example Responses
Example Response 1
Our organization has been processing credit card payments for 12 years, since our founding in 2011 We operate as a Level 1 merchant (processing over 6 million transactions annually) and have maintained continuous PCI DSS compliance since 2013 We initially started as an e-commerce platform handling direct card payments, and in 2017 expanded to also provide payment processing services to third-party merchants, operating as a service provider in that capacity We have successfully completed annual PCI DSS assessments with a Qualified Security Assessor (QSA) for the past 9 consecutive years.
Example Response 2
Secure Payment Solutions has been operating in the payment card industry for 7 years We began as a payment gateway provider in 2016, facilitating e-commerce transactions for small to medium businesses In 2019, we expanded our services to include point-of-sale systems for physical retail locations We have maintained PCI DSS compliance as a Level 2 Service Provider since 2017, processing approximately 1-6 million transactions annually Our compliance program has matured significantly over this period, with our dedicated security team growing from 2 to 15 specialists focused on payment security and compliance.
Example Response 3
Our company is relatively new to payment card processing We launched our e-commerce platform 10 months ago and began accepting credit card payments at that time Prior to this, our founding team worked at various financial technology companies, but our organization itself has limited experience with PCI DSS compliance We are currently working with a QSA to complete our first formal assessment and expect to achieve compliance within the next quarter In the meantime, we've implemented tokenization through a third-party provider to minimize our exposure to cardholder data while we build out our security program.
Context
- Tab
- Case-Specific
- Category
- Payment Card Industry Data Security Standard (PCI DSS)
Related questions
- Do you have a current, executed within the past year, Attestation of Compliance (AoC) or Report on Compliance (RoC)?
- Is the application listed as an approved Payment Application Data Security Standard (PA-DSS) application?
- Does the system or solutions use a third party to collect, store, process, or transmit cardholder (payment/credit/debt card) data?
- Do your systems or solutions store, process, or transmit cardholder (payment/credit/debt card) data?
- Are you compliant with the Payment Card Industry Data Security Standard (PCI DSS)?
- Are you classified as a service provider?

