vrtx

PCI DSS Overview

PCI DSS (Payment Card Industry Data Security Standard) is the global security standard designed to protect payment card data, including Visa, Mastercard, American Express, and other card schemes. It provides a comprehensive security framework that ensures any merchant handling cardholder data can store it securely, transmit it in encrypted form, monitor and control access to sensitive information, detect attacks and suspicious activities at an early stage, and demonstrate compliance to banks and payment networks. Its primary objective is to reduce fraud risks, prevent merchant breaches, and protect customer card data from theft, misuse, or unauthorized access, ultimately helping merchants build a secure payment environment while maintaining trust with banks, partners, and customers.

PCI DSS

For more information, visit PCI DSS official website here

Under the PCI DSS framework, we are classified as a Service Provider (and a Card Processor/Issuer). Because other businesses rely on Vrtx’s APIs to handle sensitive financial data, they are held to the most rigorous standards.

Levels of PCI DSS Compliance

Compliance levels are determined by the volume of card transactions a business processes annually.

  • Level 1: Over 6 million card transactions per year. This is the strictest tier, requiring an annual Report on Compliance (ROC) conducted by a Qualified Security Assessor (QSA) and quarterly network scans by an Approved Scanning Vendor (ASV).
  • Level 2: 1 million to 6 million transactions per year. Requires an Annual Self-Assessment Questionnaire (SAQ) and quarterly ASV network scans.
  • Level 3: 20,000 to 1 million e-commerce transactions per year. Requires an Annual SAQ and quarterly ASV scans.
  • Level 4: Fewer than 20,000 e-commerce transactions, or up to 1 million total offline/regular transactions per year. Requires an Annual SAQ and quarterly ASV scans.

The 12 Requirements for Card Issuers

To maintain our Level 1 compliance and safely issue branded cards for our clients, we strictly adhere to the 12 core PCI DSS requirements.

1. Build and Maintain a Secure Network

  • Requirement 1 & 2: Vrtx must maintain robust firewalls and secure cloud architectures (such as secure VPCs) to protect their API endpoints and transaction processing engines. They cannot use default security parameters on any of their cloud infrastructure or databases.

2. Protect Account Data (The Most Critical Area)

  • Requirement 3 (Stored Data): Because Vrtx issues the cards, they must store the generated PANs and CVVs. PCI DSS requires them to use bank-grade cryptography, often utilizing Hardware Security Modules (HSMs) or advanced tokenization, so that raw card numbers are never stored in plain text.
  • Requirement 4 (Transmitted Data): All data moving between Vrtx’s servers, the card networks (Visa/Mastercard), and your app via their APIs/SDKs must be heavily encrypted using strong protocols (like TLS 1.2 or higher).

3. Maintain a Vulnerability Management Program

  • Requirement 5 & 6: Vrtx must ensure their developer-first APIs, SDKs, and internal systems are protected against malware and newly discovered vulnerabilities. This means implementing secure coding practices (protecting against OWASP top 10 threats like SQL injections) and patching their infrastructure continuously.

4. Implement Strong Access Control Measures

  • Requirement 7, 8 & 9: Vrtx must employ a Zero-Trust architecture. Access to the Cardholder Data Environment (CDE) is restricted strictly to necessary personnel using Multi-Factor Authentication (MFA). Furthermore, any physical data centers housing their servers (often subject to local Saudi data localization laws via SAMA/NCA) must have stringent physical access controls.

5. Regularly Monitor and Test Networks

  • Requirement 10 & 11: Every API call and system access must be logged and monitored in real-time to detect anomalous behavior or fraud. Vrtx must also subject their APIs and issuing platforms to regular, rigorous penetration testing by ethical hackers to ensure there are no exploitable loopholes.

6. Maintain an Information Security Policy

  • Requirement 12: Vrtx must enforce strict, company-wide information security policies, run vendor risk management programs, and ensure all employees undergo regular security awareness training.

How Vrtx's Compliance Benefits You

As our client, our compliance is a massive advantage for your business. It allows you to leverage a Shared Responsibility Model.

By utilizing Vrtx’s developer SDKs and APIs, you can tokenize payment data. This means when your user views their newly issued virtual card in your app, the raw card data is securely fetched directly from Vrtx’s compliant servers and displayed via a secure widget. Because the raw Primary Account Number (PAN) never actually touches or rests on your company's backend servers, your own PCI DSS scope is drastically reduced (often down to a simple SAQ-A assessment), saving you significant time, risk, and audit costs.