Security and Compliance at Sezzle
Sezzle is PCI DSS Level 1 Certified
Sezzle is a PCI DSS Level 1 certified compliant Service Provider organization. We recommend that consumers and merchants ensure they are working with a Level 1 certified compliant organization. Level 1 certification ensures that an external auditor has fully assessed the ability of the organization.
PCI DSS is a comprehensive set of requirements created by the Payment Card Industry Security Standards Council to enhance cardholder data security and to ensure the safe handling and storage of sensitive customer credit card information and data.
Sezzle’s PCI DSS responsibilities as a Service Provider are outlined in our Level 1 Report on Compliance (ROC) and our Level 1 Attestation of Compliance (AOC), as independently audited and reported by Sezzle’s Qualified Security Assessor (QSA). Sezzle’s Attestation of Compliance (AOC) is submitted to Sezzle’s acquiring bank(s).
There are 4 levels of PCI compliance:
Level 1: Over 6 million card transactions per year. External audit required for compliance. (Sezzle is Level 1)
Level 2: 1 to 6 million transactions per year. Only a self-assessment is required for compliance.
Level 3: 20,000 to 1 million transactions per year. Only a self-assessment is required for compliance.
Level 4: fewer than 20,000 transactions per year. Only a self-assessment is required for compliance.
More information can be found on the official PCI org website www.pcisecuritystandards.org.
What this means for Consumers:
Sezzle secures and protects the cardholder data according to the current applicable PCI standard for the life of the data needing to be retained. Sezzle acknowledges these responsibilities as being the organization responsible for ensuring the safe handling and storage of sensitive customer credit card information and data for the Sezzle services.
What this means for Merchants:
Sezzle merchants must implement Sezzle technologies according to Sezzle’s approved configuration. Sezzle merchants have effectively delegated their PCI DSS responsibilities for sensitive customer credit card information and data collected through the Sezzle Merchant Agreement process and Customer Agreement. Merchants may have other PCI DSS responsibilities that are independent of the Sezzle Merchant Agreement process. It is the Merchant’s sole responsibility to remain informed of their PCI obligations and compliance status. Merchants should always consult their own Information Security professionals to review the security of the merchant’s business where required. A Qualified Security Assessor should be consulted if the merchant manages other sensitive customer credit card information and data or the merchant’s implementation of Sezzle technologies has deviated from the approved configuration.