PerimeterX Bot Defender is compliant with PCI DSS version 3.2 Level 2 for Service Providers.
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes - Visa, MasterCard, American Express, Discover, and JCB. The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud. PCI DSS v3.2 is the current version which came into effect on February 2018.
Read our PCI DSS FAQs
PCI DSS FAQ
What is PCI DSS?
PCI DSS (Payment Card Industry Data Security Standard) is an information security standard for organizations that handle credit cards or cardholder data. It is a standard mandated by the credit card brands (Visa, MasterCard, Discover, AMEX, etc) to increase controls for cardholder data to reduce credit card fraud.
Does PerimeterX collect cardholder / credit card data?
No. The PerimeterX Bot Defender platform (sensors, detectors and enforcers) does not collect, transmit or store credit cardholder data. There may be instances where our components may reside on servers that store or passthrough cardholder data; however, we abstain for ingesting and processing cardholder data.
What level of PCI DSS compliance does PerimeterX attest to?
PerimeterX Bot Defender is compliant with PCI DSS v3.2 Level 2 Service Provider. We are a service provider who does not process cardholder data. We comply with the Level 2 Service Provider certification process which validates compliance annually by verifying adherence to all PCI DSS requirements, completing a Self-Assessment Questionnaire (SAQ-D) and Attestation of Compliance for Service Providers.
Is a self attestation (AOC - Attestation of Compliance) reliable?
PCI DSS v3.2 enables organizations to compete and submit a self-assessment questionnaire (SAQ) and AOC to your acquirer for verification. Since PerimeterX Bot Defender does not collect or store any cardholder data, self attestation is a recognized solution by the PCI Council. PCI DSS is not required by law but is highly recommended as the industries information security standard. Each organization is responsible for managing the annual requirements for compliance.
What if I use an external CDN or have cloud infrastructure?
Many organizations use external third party cloud infrastructures and CDNs; however, CDNs and third party services may minimize your area of responsibility. The PerimeterX solution can be implemented on well-known cloud infrastructures such as Fastly, CloudFront, Salesforce Commerce Cloud, etc. If your organization is PCI DSS compliant, it's important to verify that your partners and vendors value the importance of information security standards and are PCI DSS compliant as well. PerimeterX Bot Defender is PCI DSS v3.2 complaint.
PerimeterX Bot Defender is a cloud-based solution with multiple geographic locations. Does the solution need to be PCI DSS compliant in each location?
PCI DSS is a global information standard even for organizations outside of the US. PerimeterX Bot Defender PCI DSS v3.2 compliance validation is global.