The Payment Card Industry (PCI) Data Security Standard (DSS) is an information security standard defined by the Payment Card Industry Security Standards Council. PCI certification is required for organizations (merchants and service providers) that process credit card payments. The certification is designed to prevent credit card fraud through increased controls around data and its exposure to compromise. The standard applies to all organizations which hold, process, or exchange cardholder information from any card branded with the logo of one of the card brands.
PCI-DSS is a standard that specifies best practices and various security controls. Certification in the standard requires organizations to:
All organizations processing credit card information, regardless of their deployment model, are required to be certified. For larger merchants (Merchant Level 1 is the largest type; Joyent is Level 1), validation of by independent and approved reviewer is required. A PCI Qualified Security Assessor (QSA) is authorized to perform an independent assessment and certify a vendor.
Service providers are organizations that process, store, or transmit cardholder data on behalf of clients, merchants, or other service providers. They may include shared hosting environments in which cardholder data may be stored. Certified credit card merchants must use service providers that are compliant with the PCI Data Security Standard (DSS). A validated service provider is one that has undergone an audit by an independent QSA and is found to be in conformity with the PCI security standards outlined in the latest version of the Data Security Standard published by PCI. Joyent is a PCI service provider for scenarios in which a merchant processes, stores, and/or transmits credit card data on the Joyent infrastructure.
The Joyent core infrastructure and services listed below are PCI DSS 2.0 compliant. This compliance has been validated by an authorized independent Qualified Security Assessor.
PCI “certification” is a term reserved for those merchants who require certification to process credit card transactions. Joyent, as a service provider, does not directly manage a cardholder data environment (and therefore, unlike merchants, does not require certification). Joyent provides a secure environment that has been validated by a QSA, allowing merchants to establish a secure cardholder environment and to achieve their own certification, having confidence that their underlying technology infrastructure is compliant. Achieving PCI DSS 2.0 Validated Service Provider status for Joyent helps our customers obtain their own PCI certification.
Service provider levels are defined as:
• Level 1: Any service provider that stores, processes and/or transmits over 300,000 transactions annually • Level 2: Any service provider that stores, processes and/or transmits less than 300,000 transactions annually
Joyent has been validated as a Level 1 Service provider by an Independent Qualified Security Assessor (QSA).
Services that support the processing, storage, and transmission of credit card data by a merchant or service provider have been validated as being compliant with PCI standards. These services include:
The scope of the Joyent Cloud PCI compliance for the services defined above applies to all Joyent Cloud data center locations.
Our PCI Service Provider status means that customers who use our services to store, process or transmit cardholder data can rely on our PCI compliance validation for the technology infrastructure as they manage their own compliance and certification, including PCI audits and responses to incidents. Our service provider compliance covers all requirements as defined by PCI DSS for physical infrastructure service providers. Moving the entire cardholder environment to Joyent can simplify your own PCI compliance by relying on our validated service provider status. If your QSA currently needs additional supporting information, please contact us.
Our PCI compliance further demonstrates our commitment to information security at every level. Compliance with the DSS standard, validated by an independent third-party audit, confirms that our security management program is comprehensive and follows leading practices. This validation provides more clarity and assurance for customers evaluating the breadth and strength of our security practices.
All merchants manage their own PCI certification. For the portion of the PCI cardholder environment deployed in Joyent, your QSA can rely on our validated service provider status, but you will still be required to satisfy all other PCI compliance and testing requirements, including how you manage the cardholder environment that you host with Joyent.
For customers pursuing PCI certification, upon request, Joyent will provide the authoritative QSA’s AOC document. The AOC is a simple high-level attestation of compliance with a description of the business and scope.
No. Joyent conducts PCI compliance assessments separately from other compliance initiatives. PCI assessors are not required to rely on Service Organization Control (SOC 1) reports to complete their certification evaluation or testing; Joyent can provide formal PCI documentation upon request.
No. The Joyent environment is a virtualized, multi-tenant environment. Joyent has effectively implemented security management processes, PCI controls, and other compensating controls that effectively and securely segregate each customer into its own protected environment.
No. The entire Joyent Public Cloud infrastructure is compliant and there is no separate environment or special API to use. Any server or data object deployed in or using these services is in a PCI compliant environment, globally.
Yes. You can download the standard directly from the PCI Security Standards Council.