How does PCI Proxy reduce my PCI DSS scope?

The key for merchants and service providers wishing to reduce their PCI DSS scope is to not store, process, or transmit any sensitive cardholder data. By using PCI Proxy, we take care of that challenge by shielding your servers from sensitive card data. As a result, your servers never get in touch with sensitive card data again and you can rely on our full PCI DSS Level 1 certification.

What credit card types does PCI Proxy support?

PCI Proxy automatically collects, stores, and tokenizes all PCI DSS relevant card data. Currently, we support all major brands and additional virtual cards such as Visa, Mastercard, American Express, Diners, Discover, JCB, ELO, Maestro, Expedia Virtual Cards, Booking.com Virtual Cards, AirPlus, etc. Contact us if you need additional brands tokenized.

Is PCI Proxy returning the 8 digit BIN range of a credit card?

Yes we do return the 8 digit BIN range where card brands and the credit card length allow it in the GET /v1/aliases/{alias} endpoint as a new bin parameter. Please reach out to our team to activate this feature for you. Please also consider the increased sensibility requested by PCI DSS when it comes to storing and displaying 8 digit BIN as highlighted in the following two FAQ articles:

What are the costs of using PCI Proxy?

Our pricing model is based on actual performance we deliver to you. Unlike others, we don't charge you for storing credit cards as we understand that you often have no influence on the duration of storage. Instead, you only pay for exactly what you need. All plans include free setup and use of channels and APIs and fast and reliable tokenization of credit card data off the shelf.

What token formats does PCI Proxy support?

Check out our Token Formats page for more information.

Why do I have to provide the PCI DSS Attestation of Compliance (AOC) if I want to pass stored card data on to a 3rd party?

In order to forward plain credit card data to a 3rd party, that 3rd party needs to be PCI compliant. The PCI DSS Attestation of Compliance (AOC) is an obligation for each party involved in the credit card acceptance or transmission process. Therefore, it is your responsibility to make sure you are collaborating with the right partners. Knowing your partners' compliance status provides assurance and awareness about how they deal with cardholder data of your customers.

Do you accept other compliance certificates apart from an AOC?

No. Attestations of Compliance (AOC) are the only official documents recognized for PCI DSS validation. Any other forms of certification issued for the purposes of illustrating compliance towards PCI DSS are not acceptable for proving compliance.

I'm PCI-certified - Can I still use your storage vault?

Yes, if you are PCI certified and just want to store your sensitive card data in our secure vaults in Switzerland, you can connect via our Vault API to tokenize on-the-fly.

Can I act as a payment facilitator?

Working with PCI Proxy allows you to store your customers' credit card data in our vaults without ever touching your servers. PCI Proxy takes care of passing this sensitive card data directly to gateways or API endpoints, which settle funds into respective merchant accounts. If you're looking to operate as a platform like Etsy or eBay, you will be able to onboard thousands of different merchants and route payments to their own merchant account on their behalf - all without ever touching the money or sensitive card data yourself.

Can you help me to receive a PCI Level 1 certification?

Yes. PCI Proxy works closely with PCI-accredited Qualified Security Assessors (QSA). They know our platform and can help you achieve the highest PCI Level 1 compliance. Depending on your environment, our QSAs allow you to achieve Level 1 compliance within less than 14 days including information packages, documentation templates, onsite audit, Report on Compliance (ROC) and a completed Attestation of Compliance (AOC). Get in touch for more details.

Where can I find additional information about PCI DSS?

The PCI Security Standards Council is the official body which manages the standard. See their FAQs and Document Library for more information.

https://www.pcisecuritystandards.org/faqs/

https://www.pcisecuritystandards.org/document_library/