If you are integrating CARDS with Toqio, you will need to be PCI-DSS compliant.
It is needed to perform an assessment demonstrating PCI-DSS compliance. There are three levels of demonstration of PCI-DSS compliance:
- Self PCI-DSS assessment performed by itself (the Integrator) without a certificate of compliance.
- Self PCI-DSS assessment performed by an external entity with a certificate of compliance.
- PCI-DSS assessment performed by a PCI-DSS authority with an AoC official certificate.
As an integrator you need to accomplish with each of the requirements in the PCI-DSS standard that apply to your integration.
If you manage Cardholder Data in transit and at rest you have to comply with all the PCI-DSS requirements including in transit and at rest requirements.
If you manage Cardholder Data in transit only (you do not store Cardholder Data in your databases) you have to comply with all the PCI-DSS requirements but the specific at rest requirements.
PCI-DSS official documentation and questionnaires: https://www.pcisecuritystandards.org/document_library/?category=saqs
You should be open to security audits performed by Toqio in an agreed and compliance way.
One of the PCI-DSS requirements is to perform a formal risk assessment of your company regarding PCI-DSS scope yearly so Toqio will ask you for this risk assessment yearly.