Comment on page

PCI compliance

It's no rocket science
This chapter is all about PCI compliance. The complexity around PCI compliance is often exaggerated, creating closed systems and walled gardens. Of course, PCI compliance is not a one-time exercise. It requires additional time and effort. But it is no rocket science either.

We intend to simplify PCI compliance from first principles. We have also open sourced our PCI certified card vault application code along with the deployment scripts which you can self-host.
By the time you complete this guide, you will be running a PCI complaint card vault on your server and also be ready to get PCI certification.

PCI Compliance - Why and What?

The current payment networks are built on a chain of trust between banks, card networks, payment processors and merchants. And the result is that "everyone needs to take responsibility" for secure handling of card information.
PCI compliance is not determined not enforced by any Government body. It is a set of standards created by the Payment Card Industry Security Standards Council.
Payment Card Industry Security Standards Council (PCI-SSC), was an independent body created by the card networks in 2006. The independent body publishes and manages PCI security standards. However, the enforcement of these standards falls to the card networks and payment processors.