Skip to main content

PCI

Financial institutions and businesses handling payment card data are required to comply with the Payment Card Industry (PCI) Data Security Standard (DSS). Virtru's encryption and key management capabilities enable organizations to securely handle payment card information while maintaining PCI DSS compliance.

Current Certification Status & Roadmap

We are actively working toward PCI DSS certification, with completion targeted for 2025 as part of our comprehensive compliance program. Virtru already maintains FedRAMP Moderate authorization and SOC 2 Type 2 certification, demonstrating our commitment to the highest security standards.

Understanding PCI DSS Requirements and Virtru's Role

Encryption and Data Protection

Virtru's client-side encryption ensures payment card data is protected before it ever leaves your environment. Our architecture provides:

  • Separation of encrypted data and encryption keys
  • Customer-controlled key management through Virtru Private Key Store (VPKS) ensuring that no third-party, including Virtru, has both the encrypted PCI data and encryption keys necessary to decrypt it
  • Data Loss Prevention (DLP) capabilities to ensure that PCI data never leaves the PCI environment unencrypted
  • Secure sharing capabilities that maintain data protection even when sharing outside the PCI environment

Third-Party Service Provider Requirements

While Virtru can provide client-side encryption in a manner such that it does not have the ability to decrypt PCI data, Virtru plays an important role in data protection as a third-party service provider (TPSP).

Virtru's current status as a non-certified TPSP does not prevent organizations from adopting Virtru in a PCI environment. Control requirement 12.8 address TPSP security and PCI DSS states:

Requirement 12.8 does not specify that the customer’s TPSPs must be PCI DSS compliant, only that the customer monitors their compliance status as specified in the requirement. Therefore, a TPSP does not need to be PCI DSS compliant for its customer to meet Requirement 12.8.

It is necessary for the customer to manage the TPSP relationship with Virtru by ensuring that the controls applicable to the service provided are implemented appropriately. When a TPSP does not have a PCI DSS Attestation of Compliance (AOC) and Report on Compliance (ROC):

…the TPSP is expected to provide specific evidence related to the applicable PCI DSS requirements, so that the customer (or its assessor) is able to confirm that the TPSP is meeting those PCI DSS requirements.

Virtru has a comprehensive information security program that aligns closely to PCI DSS. We have demonstrated compliance through FedRAMP Moderate authorization status, which is based on the NIST 800-53 revision 5 control baseline, and a SOC 2 Type 2 report. These programs require stringent access, networking, secure development, vulnerability management, key management, and contingency planning controls for which Virtru is responsible for in its role as a TPSP in a customer’s cardholder data environment.

Virtru is always willing to work with a customer to fill any perceived gaps in control evidence from FedRAMP and SOC 2 reports based on their use case in a PCI environment.

Last updated on