Imeongezwa kwa Kikapu

PCI DSS Compliance at Ubuy

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security guidelines designed to ensure that organisations handling card information maintain a secure environment. It's not a one-time certification but an ongoing process requiring continuous validation.

How Does PCI DSS Apply to Ubuy?

Ubuy does not store, process, or transmit cardholder data. However, we leverage a third-party payment processor to handle all sensitive cardholder data (CHD) transactions. This minimises Ubuy's involvement with CHD, reducing our PCI DSS scope.

Here's a breakdown of Ubuy's PCI DSS strategy:

  • Ubuy integrates with a PCI DSS-validated third-party payment processor. This ensures CHD never touches Ubuy's systems, eliminating the need for us to store, process, or transmit it.
  • Ubuy secure iframes isolate the payment process within the authorised payment processor's environment, further minimising potential vulnerabilities within Ubuy's infrastructure.
  • Due to our reliance on a validated third-party processor and the absence of CHD on our systems, Ubuy qualifies for a PCI SAQ-A self-assessment. This approach confirms our PCI DSS scope.

Our Approach to PCI Compliance

Due to our reliance on external processors, Ubuy qualifies for a PCI Self-Assessment Questionnaire (SAQ) specifically designed for merchants like us: SAQ-A. This self-assessment confirms we meet the criteria for:

  • Card-not-present merchants (e-commerce)
  • Full outsourcing of cardholder data functions to validated third-party providers
  • Our systems do not store, process, or transmit cardholder data electronically.

To ensure the integrity of our compliance efforts, you can utilise a bespoke verification portal at https://cybersigmacs.com/ to verify our Certificate Number: CSNL1PCI8840.

Important to Note:

Ubuy's PCI DSS compliance solely applies to the current processing of customer payments via our integrated and tokenised payment gateway. We also offer resources to help customers achieve their own PCI DSS compliance goals, such as best practice guides and recommendations for selecting compliant third-party storage providers.

  • User Consent: We prioritise transparency and obtain user consent before collecting any data. This includes transactional details and, when necessary, identity proof for regulatory compliance.
  • PCI DSS Compliance: Ubuy's PCI DSS compliance solely applies to the current processing of customer payments via our integrated and tokenised payment gateway. We leverage a validated third-party processor to ensure the highest level of security for your sensitive cardholder data (CHD).
  • Our Data Collection Practices: By prioritising user consent and focusing on the data we truly need to operate, we achieve several security and compliance advantages.
    • Transactional Data: We collect details necessary to complete transactions securely, such as billing addresses and order information (excluding payment details). This information is essential to process your orders and fulfil your requests.
    • Identity Proof (Optional): In accordance with regulations in specific countries, we may request identity proof for certain transactions. The type of proof required will depend on local laws. We store this information securely and only use it for verification purposes.

Tokenisation: Implementing tokenisation, a process that replaces sensitive CHD with unique identifiers (tokens), reduces the amount of data we need to store and transmit, minimising the attack surface.

Security Measures: To ensure the ongoing security of your data, we implement the following measures:

    • Regular Security Patching: We maintain a rigorous program for applying security patches to our systems, promptly addressing newly discovered vulnerabilities.
    • Secure Coding Practices: We encourage secure coding practices to minimise vulnerabilities during software development, proactively reducing the risk of exploitation.
    • We utilise industry-standard AES-256 CBC encryption to safeguard communication between our platform and the validated payment processor.

Benefits of this Approach: By outsourcing CHD processing and focusing on user consent and data minimisation, we achieve several security and compliance advantages.

    • Enhanced Security: By outsourcing CHD processing, we leverage the expertise and robust security measures of a validated payment processor.
    • Reduced Scope: Ubuy's PCI DSS scope has decreased significantly, simplifying compliance efforts.
    • Streamlined Operations: Utilising iframes and a self-assessment questionnaire minimises the complexity of maintaining PCI DSS compliance.

 

Disclaimer:

Ubuy continuously monitors and updates its security practices. This information reflects our current approach to PCI DSS compliance and is subject to change in the future.

Looking for More Information?

We recommend visiting the PCI Security Standards Council website for further details: https://www.pcisecuritystandards.org/