At Persona, our goal is to enable trust between businesses and their customers. One of the biggest ways we do this is by ensuring we keep data safe. We’re already ISO 27001, SOC 2, and NIST IAL2 certified, and today we’re proud to add PCI certification to our growing list.
What is PCI compliance?
In 2006, American Express, Discover, JCB, Mastercard, and Visa formed the Payment Card Industry Security Standards Council (PCI SSC), which created a standard security policy — the PCI Data Security Standard (PCI DSS) — to protect consumers and reduce fraud and data breaches. Today, PCI DSS is the global industry standard for all entities that handle cardholder data.
PCI compliance refers to the standards organizations must follow to secure and protect sensitive credit card data during and after a financial transaction. Credit card companies require companies that process, store, or transmit credit card data to maintain PCI compliance to help ensure the security of online transactions.
What does our PCI certification mean for your business?
As with our SOC 2 and ISO 27001 certifications, Persona’s PCI certification basically means you can trust that we handle data — specifically cardholder data such as primary account numbers (PANs), cardholder names, expiration dates, and service codes in this case — securely, as we comply with PCI’s strict information security requirements and have been validated by a reliable third party.
To get certified, we had to demonstrate that we protect cardholder data by following PCI’s 12 requirements. These requirements essentially boil down to three main components:
- Collecting and transmitting sensitive card details securely
- Storing card data securely
- Validating that we have the required security controls in place each year
Practically, our certification means we’ve implemented a number of security processes to keep payment data safe, such as installing and maintaining a firewall to protect cardholder data, encrypting data, restricting and monitoring access to cardholder data, regularly conducting security audits, vulnerability scans, and penetration tests, and more.
On a broader level, our PCI certification reinforces our commitment to helping businesses securely control and manage PII of all kinds. As such, you can leave even more types of sensitive PII to us and focus on what you do best.
What’s next?
Going forward, we’ll continue to recertify each year, which involves an annual on-site validation assessment by a Qualified Security Assessor (QSA).
Additionally, our PCI certification will allow us to expand our offerings. For example, while none of these features are currently live, in the future, we may be able to allow businesses to:
- Collect and store sensitive payment information such as full PANs directly on our PCI DSS-validated servers
- Evaluate additional risk signals, such as a new credit card not associated with an account
- Search for accounts linked by credit card information (such as the last four digits of a credit card number) via Graph
- Create blocklists of certain PANs
If you’d like to request a copy of our PCI certification, please email [email protected]. You can also learn more about our other certifications and security measures on our Security Page.
