PCI-DSS Compliance Statement

Last Updated: July 3, 2026

Effective Date: July 3, 2026
Last Updated: July 3, 2026
Version: 2.0


Overview

This statement explains how MHC Information Services, LLC (MHCIS) approaches the Payment Card Industry Data Security Standard (PCI-DSS), what we have validated about our own posture, and where responsibility for validation sits between MHCIS and our clients.

MHCIS is a security and software engineering firm. When we design or build systems that sit adjacent to payment processing, we engineer them to the PCI-DSS 4.0 control set. We do not certify our clients' environments, and we do not act as a Qualified Security Assessor (QSA).

What PCI-DSS Is

PCI-DSS is a technical and operational baseline for organizations that store, process, or transmit cardholder data. The current version is PCI-DSS 4.0, maintained by the PCI Security Standards Council.

Two points are important for understanding what compliance does and does not mean:

  • It is not a government certification. No government agency issues, audits, or enforces PCI-DSS. It is a private industry standard.
  • It is enforced contractually. The payment card brands and acquiring banks require PCI-DSS through the contracts that let a business accept card payments. Obligations, validation methods, and consequences flow through those commercial agreements, not through statute.

Validation is performed either through a Self-Assessment Questionnaire (SAQ) with an Attestation of Compliance (AOC), or, for higher volumes and certain arrangements, through an on-site assessment by a QSA that produces a Report on Compliance (ROC). The applicable path depends on the entity's role, transaction volume, and how it handles cardholder data.

Our PCI-DSS Posture

MHCIS has completed a PCI-DSS Self-Assessment Questionnaire (SAQ) as a service provider. Our Attestation of Compliance (AOC) is available on request.

To be precise about scope:

  • Our posture is validated through a completed SAQ, not through a QSA on-site audit.
  • We do not hold, and do not claim, a "Level 1" designation or a Report on Compliance (ROC).
  • Completing our SAQ speaks to the systems and controls within our own scope. It does not validate, certify, or attest to any client's environment.

The Shared-Responsibility Model

PCI-DSS compliance in any engagement is shared. Responsibility is divided along the boundary between what MHCIS builds or operates and what the client owns.

MHCIS is responsible for engineering the systems within our scope to PCI-DSS 4.0 controls, maintaining our own SAQ and AOC, and providing a clear description of which controls we deliver versus which remain with the client.

The client is responsible for defining the scope of its Cardholder Data Environment (CDE), selecting and completing the correct validation path (SAQ or QSA engagement) for its own environment, maintaining its merchant and service-provider agreements, training its personnel, securing its own facilities, and sustaining compliance over time.

Where a formal responsibility matrix is useful, we can provide one that maps specific PCI-DSS requirements to the party accountable for each.

How We Build to PCI-DSS 4.0 Controls

When we design and build payment-adjacent systems, we align the work to the PCI-DSS 4.0 control families below. These describe our engineering approach. They are not a claim to operate or validate any specific client's CDE.

  • Network segmentation. We isolate sensitive systems from general-purpose networks using logical segmentation and deny-by-default access boundaries, so that the systems in scope are as narrowly defined as possible.
  • Encryption of cardholder data in transit. We enforce TLS for data transmitted over networks and use current protocol and certificate configurations.
  • Access control and least privilege. We provision access on a least-privilege basis, use unique identities, and support multi-factor authentication for sensitive access, with defined provisioning and deprovisioning.
  • Logging and monitoring. We instrument systems with audit logging and error and exception monitoring so that access and system events are recorded and reviewable.
  • Vulnerability management. We keep dependencies under review, apply patches on a defined cadence, and remediate identified issues.
  • Secure software development lifecycle. We build with a secure SDLC, infrastructure-as-code, dependency review, and change control.

Encryption at rest for systems we build is provided by the underlying cloud platforms we deploy on. We do not over-specify key-management arrangements we cannot substantiate for a given engagement.

Client Validation Remains the Client's

MHCIS builds PCI-DSS-ready systems and aligns its engineering to the standard. Formal validation of a client's own environment is the responsibility of the client and, where applicable, its QSA.

Nothing in this statement constitutes certification of a client's PCI-DSS compliance. That determination is made by the client through the appropriate SAQ, or by a QSA through an on-site assessment. We are glad to support that process by providing our AOC, describing the controls we deliver, and supplying a responsibility matrix, but the validation decision is not ours to make.

What We Can Provide

As a service provider, on request we can provide:

  • Our Attestation of Compliance (AOC).
  • A responsibility matrix mapping PCI-DSS requirements to MHCIS and to the client.
  • A description of the security controls we implement within our scope.

Contact for PCI-DSS Inquiries

General PCI-DSS Questions

Assessment and Documentation Requests

Email contact@mhcis.com with "PCI-DSS" in the subject line to request our AOC or a responsibility matrix.


Disclaimer

This statement describes how MHCIS engineers systems to PCI-DSS 4.0 controls and summarizes our own validated posture. PCI-DSS is a contractual industry standard, not a government certification. MHCIS has completed a service-provider SAQ and can provide its AOC on request. We do not certify any client's PCI-DSS compliance. That determination is made by the client through self-assessment, or by a Qualified Security Assessor. For detailed discussion of a specific engagement, please contact us.


MHC Information Services, LLC, a security and software engineering firm.

Back to Home