They're an integrateable payment API. Basically they handle all the security junk, connect to your payment gateway of choice, and you don't have to be concerned about storing credit card details for your customers.
This is somewhat misleading - a successful vulnerability scan isn't enough to say whether Spreedly is PCI DSS compliant.
Vulnerability scanning is just one component of PCI compliance - others include an audit of your architecture, security training, risk assessment, and much more.
That said, we passed the Level 1 PCI audit, which is the highest level. The lower levels may have somewhat relaxed requirements.
edit: I should also mention that we compete with Spreedly
Spreedly has fulfilled all the requirements of SAQ D. The compliance status is not just the result of vulnerability scanning. https://spreedly.com/info/faq/
Thanks for clarifying, seregine. You're correct that a successful vulnerability scan is not conclusive evidence of compliance with the PCI DSS. It's one of the many components of meeting compliance with the PCI DSS. Many requirements are taken into consideration as part of any individual organization's compliance with the PCI DSS.
The Payment Card Industry Data Security Standard (PCI DSS) is an industry standard for anyone who stores, processes or transmits cardholder data (think: credit card numbers). The standard itself covers 12 key requirements for protecting cardholder data with many sub-requirements under each section.
All organizations that store, process, or transmit cardholder data are required to be compliant with the PCI DSS. Based on certain elements, primarily including transaction volume, will determine an organizations "level". Every level is required to comply with the same requirements, but each level may have a different requirement to validate their compliance. Typically, larger organizations are required to have an onsite audit conducted and smaller organizations are able to self-assess.
false inference. pci dss is largely about internal process, not visible to the outside.
passing a security scan doesn't mean you're pci dss compliant. of the 12 requirements of pci dss, only 1 is even partially met by successfully passing an external scan.
9 comments
[ 3.5 ms ] story [ 35.4 ms ] threadhttps://www.pcisecuritystandards.org/security_standards/pci_...
They're an integrateable payment API. Basically they handle all the security junk, connect to your payment gateway of choice, and you don't have to be concerned about storing credit card details for your customers.
Vulnerability scanning is just one component of PCI compliance - others include an audit of your architecture, security training, risk assessment, and much more.
That said, we passed the Level 1 PCI audit, which is the highest level. The lower levels may have somewhat relaxed requirements.
edit: I should also mention that we compete with Spreedly
Disclosure: I'm a Spreedly co-founder.
The Payment Card Industry Data Security Standard (PCI DSS) is an industry standard for anyone who stores, processes or transmits cardholder data (think: credit card numbers). The standard itself covers 12 key requirements for protecting cardholder data with many sub-requirements under each section.
All organizations that store, process, or transmit cardholder data are required to be compliant with the PCI DSS. Based on certain elements, primarily including transaction volume, will determine an organizations "level". Every level is required to comply with the same requirements, but each level may have a different requirement to validate their compliance. Typically, larger organizations are required to have an onsite audit conducted and smaller organizations are able to self-assess.
passing a security scan doesn't mean you're pci dss compliant. of the 12 requirements of pci dss, only 1 is even partially met by successfully passing an external scan.
https://seal.403labs.com/seal/verify/www.yahoo.com
They seem to think yahoo.com is "Precision Underground Locators LLC".