Last updated 2 months ago

PCI-DSS compliance

Data security is one of our highest priorities at Rebilly.

We go beyond industry standards to meet a high level of data security at every layer, from server hardening techniques and network segmentation to extensive data integrity logging, secure coding practices and rigorous testing.

As a level one service provider, to maintain PCI-DSS compliance we undergo a yearly audit of our security practices and policies, as well as bi-annual penetration testing, quarterly vulnerability scans, and more. Our annual audit is completed by a third party auditor accredited by the PCI council.

You should maintain evidence that your service providers are compliant. Download our attestation of compliance as evidence of our compliance. You should update these records every year.

Reduce security related expenses by offloading most of your PCI-DSS compliance burden to Rebilly. This is done by leveraging our TOKENS API endpoint in conjunction with FramePay to avoid having payment information flow through your servers.

Reduce your costs of compliance by varying degrees:

  1. Largest reduction: By not accepting payment cards on your website by using a 3rd party hosted checkout page or FramePay.

    • Requires SAQ - A
  2. Significant reduction: By using a javascript-only solution. You can still reduce the scope of compliance.

    • Requires SAQ - A-EP
  3. Small reduction: By not storing the card data, but transmitting card data through your servers. Some sections not applicable.

    • Requires SAQ - D
  4. No reduction: By transmitting and storing cardholder data through your servers. Will require an auditor if the transaction count is high enough.

    • Requires SAQ - D