PCI Compliance

Azotte is PCI DSS Level 1 compliant, ensuring the highest standards of payment card data security.

PCI DSS Overview

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment.

Compliance Levels

Level 1: Merchants processing 6M+ transactions annually
Level 2: Merchants processing 1-6M transactions annually
Level 3: Merchants processing 20K-1M e-commerce transactions annually
Level 4: All other merchants processing up to 20K transactions annually

Azotte's PCI Compliance

Level 1 Certification

Annual on-site security assessments
Quarterly network security scans
Comprehensive security controls
Regular compliance validation

Certification Details

Level: PCI DSS Level 1 Service Provider
Assessor: Qualified Security Assessor (QSA)
Scope: Full payment processing infrastructure
Validation: Annual Report on Compliance (ROC)

Security Architecture

Network Security

Internet
    │
    ▼
┌────────────────────┐
│      WAF/DDoS       │
│    Protection      │
└──────────┬─────────┘
            │
            ▼
┌────────────────────┐
│   Load Balancer    │
│   (SSL Termination)│
└──────────┬─────────┘
            │
            ▼
┌────────────────────┐
│  Application Tier  │
│  (No Card Data)    │
└──────────┬─────────┘
            │
            ▼
┌────────────────────┐
│  Secure Vault      │
│  (Encrypted CHD)   │
└────────────────────┘

Data Protection

Encryption at Rest: AES-256 encryption for stored data
Encryption in Transit: TLS 1.3 for all communications
Tokenization: Replace sensitive data with tokens
Key Management: Hardware Security Modules (HSMs)

Tokenization

How Tokenization Works

Data Collection: Sensitive card data collected securely
Token Generation: Unique token created for card data
Secure Storage: Original data stored in encrypted vault
Token Distribution: Token used throughout system
Detokenization: Original data retrieved only when needed

Token Format

Original PAN:  4242 4242 4242 4242
Token:         tok_1BRoAoH7XjZ8QQMVz9mQ0p3x

# Tokens are:
# - Irreversible without access to vault
# - Format-preserving or completely different format
# - Unique per merchant/customer combination

Your Compliance Obligations

Using Azotte Reduces Your Scope

By using Azotte's tokenized approach, your PCI compliance scope is significantly reduced:

Traditional Processing (Full Scope)

Card data flows through your systems
Full PCI DSS compliance required
Extensive security controls needed
Annual assessments required

Azotte Tokenized Approach (Reduced Scope)

No card data touches your systems
Simplified compliance requirements
Self-Assessment Questionnaire (SAQ A)
Reduced security controls needed

SAQ A Requirements

With Azotte's tokenized solution, most merchants qualify for SAQ A:

No cardholder data storage
HTTPS for all web pages
Regular security updates
Strong access controls

Security Best Practices

Integration Security

// ✅ Good: Use HTTPS for all API calls
const response = await fetch('https://api.azotte.com/v1/payments', {
  method: 'POST',
  headers: {
    'Authorization': `Bearer ${apiKey}`,
    'Content-Type': 'application/json'
  },
  body: JSON.stringify(paymentData)
});

// ❌ Bad: Never use HTTP
// const response = await fetch('http://api.azotte.com/v1/payments', ...);

API Key Security

# ✅ Good: Use environment variables
export AZOTTE_API_KEY="sk_live_..."

# ❌ Bad: Never hardcode in source code
# const apiKey = "sk_live_1234567890abcdef";

Webhook Security

// Always verify webhook signatures
const crypto = require('crypto');

function verifyWebhook(payload, signature, secret) {
  const expectedSignature = crypto
    .createHmac('sha256', secret)
    .update(payload)
    .digest('hex');
  
  return signature === `sha256=${expectedSignature}`;
}

Compliance Documentation

Available Documents

AOC (Attestation of Compliance): Proof of PCI compliance
ROC (Report on Compliance): Detailed compliance report
Security Policies: Internal security procedures
Penetration Test Reports: Third-party security assessments

Accessing Documents

Log into Azotte Portal
Navigate to Security & Compliance
Download required documents
Share with your compliance team

Incident Response

Security Monitoring

24/7 security operations center
Real-time threat detection
Automated incident response
Regular security patching

Breach Notification

Immediate containment procedures
Forensic investigation
Regulatory notifications
Customer communication

Regular Assessments

Internal Assessments

Quarterly vulnerability scans
Annual penetration testing
Continuous security monitoring
Regular policy reviews

External Validation

Annual QSA assessment
Independent security audits
Compliance certification renewal
Third-party security reviews

Next Steps

Learn about Tokenization
Understand Encryption
Explore Data Protection

PCI DSS Overview​

What is PCI DSS?​

Compliance Levels​

Azotte's PCI Compliance​

Level 1 Certification​

Certification Details​

Security Architecture​

Network Security​

Data Protection​

Tokenization​

How Tokenization Works​

Token Format​

Your Compliance Obligations​

Using Azotte Reduces Your Scope​

Traditional Processing (Full Scope)​

Azotte Tokenized Approach (Reduced Scope)​

SAQ A Requirements​

Security Best Practices​

Integration Security​

API Key Security​

Webhook Security​

Compliance Documentation​

Available Documents​

Accessing Documents​

Incident Response​

Security Monitoring​

Breach Notification​

Regular Assessments​

Internal Assessments​

External Validation​

Next Steps​