Announcing PCI DSS Level 1 Compliance for YugabyteDB 

We are proud to announce that YugabyteDB has achieved PCI DSS Level 1 compliance for our fully managed DBaaS offering of YugabyteDB. Level 1 is PCI’s highest level of assurance, affirming our commitment to delivering strong performance while maintaining and securing highly sensitive data.

Why is PCI DSS Important?

The Payment Card Industry Data Security Standard (PCI DSS) is a comprehensive set of security requirements developed by the PCI Security Standards Council (PCI SSC). The PCI SSC is a global industry organization created by major credit card companies such as Visa, MasterCard, and American Express. More specifically, the council develops and drives the adoption of data security standards and resources to enable safe financial payments.

“In today’s digital age, protecting sensitive financial data is non-negotiable. The Payment Card Industry Data Security Standard serves as the industry’s gold standard for safeguarding cardholder information, ensuring robust security measures are in place throughout the entire payment processing ecosystem. Achieving PCI DSS certification demonstrates a vendor’s unwavering commitment to data security, building trust with customers and partners alike.”
— Jay Duraisamy, SVP Technology, Data & Analytics at Fiserv.

PCI DSS is designed to enhance the security of cardholder data and ensure the safe handling of sensitive information during payment transactions. It consists of a set of security requirements for organizations that process, store, or transmit credit card information (either merchants or service providers), with the goal of reducing the risk of data breaches and protecting consumers and businesses from financial fraud.

What Does It Mean to Be a PCI DSS Level 1 Service Provider?

All service providers and merchants that store, transmit, or process credit card information should adhere to the PCI DSS. However, as with most other aspects of business, one size does not fit all. There are different levels of PCI DSS compliance — two for service providers and four for merchants.

For service providers* (like Yugabyte) those are:

• Level 1 for those who process over 300,000 transactions annually
• Level 2 for those who process less than 300,000 transactions annually

A PCI Level 1 designation provides the highest level of compliance. A Level 1 service provider must submit an annual Report on Compliance (ROC) completed by a Qualified Security Assessor (QSA), that assesses the company’s PCI compliance and verifies that all requirements have been met. Additionally, they must undergo quarterly network scans, conduct penetration and internal tests, and submit an Attestation of Compliance (AOC) form.

*A service provider, as defined by the PCI SSC, is a business not classified as a payment brand but involved in handling cardholder information, including transmission, storage, or processing. This also covers services affecting the security of such information.

YugabyteDB Achieves PCI DSS Level 1 Compliance

YugabyteDB’s compliance with the PCI DSS was validated by an independent Qualified Security Assessor (QSA). The assessment included a review of YugabyteDB’s technical controls as well as company policies and procedures. The independent QSA deemed that Yugabyte’s information security program was in compliance with all applicable PCI requirements.

“Reaching PCI DSS Level 1 compliance is a testament to Yugabyte’s dedication to delivering secure, enterprise-ready solutions for financial institutions, fintechs, and their end customers. By following the thorough security standards of PCI DSS, Yugabyte is well-positioned to continue leading the way for users to build applications on a modern database that delivers security, reliability, and the utmost protection of customers’ sensitive data.
— Sawyer Miller, Director of Audit & Implementation Practice, atrisk3sixty

PCI DSS compliance further strengthens Yugabyte’s existing portfolio of security certifications and attestations, which includes SOC 1,  SOC 2, and SOC 3; ISO 27001, 22301, & 9001; and CSA STAR. To learn more about YugabyteDB’s compliance certifications and attestations, visit YugabyteDB Compliance Center, or take a peek at some of the blogs we’ve written about achieving PCI DSS compliance with open-source YugabyteDB, achieving GDPR compliance with YugabyteDB, and securing YugabyteDB with server-to-server encryption in transit.

Benefits of PCI-DSS Level 1 Compliance and What It Means for YugabyteDB Users

Achieving PCI DSS compliance brings several key benefits. Here are just four:

1. Data Breach Prevention: PCI DSS compliance significantly lowers the risk of security incidents. By implementing its requirements, such as firewalls and data encryption, organizations can fortify against common vulnerabilities targeted by cyber attackers.
2. Enhanced Customer Trust: Robust data security can strengthen customer and stakeholder relationships. As the public becomes more aware of cybersecurity risks, they expect businesses to prioritize the protection of their data. Compliance with PCI DSS showcases a serious commitment to data security, boosting public confidence even in the event of a security incident.
3. Avoidance of Fines and Penalties: Non-compliance with PCI DSS can lead to substantial fines, accumulating monthly until compliance is achieved. Moreover, since PCI DSS shares similarities with GDPR, non-compliance could also imply GDPR violations, leading to even steeper penalties.
4. Alignment with Global Data Security Standards: Compliance with PCI DSS shows that your security practices are aligned with global standards set by leading payment card firms. This positions your business alongside other trusted, international entities.

YugabyteDB’s PCI-DSS certification assures security and legal teams of our database’s capability to securely store confidential customer data. This not only expedites the process of achieving system-wide PCI-DSS certification but also enhances operational efficiency by offloading software management to a provider meeting PCI-DSS standards. Additionally, YugabyteDB’s scalability, resilience, and data consistency make it an even more appealing choice.

PCI-DSS and Our Commitment to Excellence

For YugabyteDB, achieving PCI DSS compliance demonstrates our commitment to securing mission-critical workloads. We are proud to have obtained this level of compliance, as it serves as a testament to our ongoing efforts to strengthen our operations and provide unparalleled services to our customers.

To review Yugabyte’s PCI DSS Attestation of Compliance (AOC), please contact the Yugabyte Security and Compliance team.

For more information on how Yugabyte delivers end-to-end security, visit our dedicated page — Yugabyte Security and Trust Center.