Security & compliance
PCI DSS Compliance Information
Use this reference to explain the PCI DSS pillars your organization and LakiPay jointly follow. It’s designed for auditors, risk teams, and executives.
Scope & Segmentation
- Identify all systems that store, process, or transmit cardholder data. Keep them segmented from the rest of your network.
- Use dedicated VLANs or VPCs for card-processing services and restrict east-west traffic aggressively.
- Document data flows so your auditors can see which components form the cardholder data environment (CDE).
- Leverage LakiPay’s tokenization to reduce the amount of data that ever touches your infrastructure.
Secure Storage and Transport
- Encrypt data in transit with TLS 1.2+ and at rest using strong algorithms (AES-256).
- Rotate keys and certificates automatically. Access to secrets must require MFA and short-lived sessions.
- Disable storage of sensitive authentication data (full PAN, CVV) after authorization.
- Log access to card data and pipe logs to a tamper-resistant SIEM.
Monitoring & Testing
- Run quarterly vulnerability scans and annual penetration tests that cover the entire CDE.
- Monitor file integrity, configuration changes, and privileged sessions in real time.
- Maintain intrusion detection/prevention and respond to alerts within documented SLAs.
- Track third-party service providers to ensure they maintain PCI DSS validation.
Merchant Responsibilities
- Complete the appropriate Self-Assessment Questionnaire (SAQ) or work with a Qualified Security Assessor (QSA).
- Retain Attestation of Compliance (AOC) documentation and provide it to partners when requested.
- Train staff annually on handling cardholder data, social engineering, and secure development practices.
- Align refund, dispute, and support workflows with PCI logging requirements.
Need proof for partners?
Contact our support team to request the latest Attestation of Compliance (AOC). Pair it with the Security Overview when responding to due-diligence questionnaires.