While it is not mandatory for online identity verification providers to comply with PCI DSS, consider the value of the data they are handling: legitimate government-issued IDs (e.g., passports and driver’s licenses). Criminals purchase images of these documents on the dark web and can inflict considerable damage with them, including opening new credit cards or getting a loan in the victim’s name. This means that online identity verification vendors are processing a great deal of valuable personally identifiable information (PII) that must be managed appropriately and strictly protected from potential data breaches.
PCI defines a 12-step process that vendors need to adhere to in order to demonstrate they are taking the necessary measures to avoid online access or compromises to their cardholder data environment (CDE). Failure to meet PCI compliance requirements could cause a retailer to face substantial penalties, which can exceed $500,000, depending on the volume of transactions processed.
Put simply, your identity verification provider should have a valid PCI-DSS Level 1 certificate. Requesting proof of this certificate will give you the assurance that their practices are up-to-date and validated by a reliable third party.
Jumio is PCI DSS Level 1 compliant. We regularly conduct security audits, vulnerability scans and penetration tests to ensure compliance with security best practices and standards. To demonstrate PCI compliance, a yearly on-site validation assessment by a QSA is carried out. Jumio carries the security controls established to achieve PCI compliance over to PII data, which is of comparable sensitivity, and has extended the scope of such controls to cover and protect all systems used to transmit, process and store PII data.
Jumio extracts, redacts (masks) and stores payment processors' credit card information while adhering to PCI DSS, reducing customers’ internal processing and operational costs. Because Jumio complies with PCI DSS's strict information security requirements, our customers can have greater confidence that their data — whether it's payment card data, PII or government-issued IDs — is handled in a secure manner throughout its lifetime.