Payment data certifications: PCI DSS, SOC2, ISO27001

Updated on 19 Jun 2024

SDK.finance’s transactional engine software can be customized to comply with regulatory requirements in different regions. This adaptability ensures that financial institutions and businesses using the platform can effectively meet local compliance standards.

Please keep in mind that SDK.finance is a software platform and it does not handle the regulatory aspects of launching a financial technology product. Therefore, it is the responsibility of the customer to ensure regulatory compliance for their product built using SDK.finance Platform.

PCI DSS 

PCI DSS (Payment Card Industry Data Security Standard) refers to a set of security standards that aim to ensure the protection of cardholder data and the secure handling of payment transactions. 

Since the main databases are managed by the customers on their side, the SDK.finance software doesn’t retain any user data or cardholder information, which means that the PCI DSS compliance regulations are not directly applicable to the Platform.

However, SDK.finance customers can issue payment cards for their end-users adhering to PCI DSS regulations thanks to the integration with Marqeta, a card issuing provider certified with PCI DSS level 1 and SSAE-18 compliance.

Also, SDK.finance is currently obtaining PCI DSS certification for its code storage and development procedure.

Alternatively, SDK.finance customers using it as a foundation for a product that involves payment card transactions can implement a storage system that aligns with PCI DSS compliance guidelines and use it as an autonomous standalone service with required storage and encryption within their own databases.

SOC2

SOC 2 (Service Organization Control Type 2) is a cybersecurity compliance framework developed by the American Institute of Certified Public Accountants (AICPA). Its main purpose is to ensure third-party service providers securely store and process client data.

Since SOC 2 mainly focuses on how service providers secure customer data, SDK.finance does not store user data or cardholder information, as customers manage their databases. Therefore, SOC 2 compliance may not directly apply to the platform in the traditional sense.

However, to ensure the security of our code storage and development practices, we are planning to pursue SOC 2 compliance in the future. This will provide independent verification of our security controls in these areas.

ISO 27001

ISO 27001 is the globally recognized standard for managing risks related to the security of information and data held by your organization. This standard ensures that customer and employee data is stored securely and complies with legal requirements such as GDPR.

SDK.finance does not store any user information or personal data itself. Instead, its customers, who own and control the databases where user information is stored, are responsible for ensuring compliance with ISO 27001 regulations. 

While SDK.finance facilitates secure transactions and data handling, the direct application of ISO 27001 pertains to its customers. Nonetheless, SDK.finance is committed to pursuing ISO 27001 certification in the future to further enhance its security framework.