arrow Back to Compliance & Regulations

PCI DSS Compliance

Discover the value of PCI DSS compliance for your online customer identity verification program, and how to achieve it.

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) requires adherence to a set of specific security standards that were developed to protect sensitive card information during and after a financial transaction and “to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally.”

Who is Impacted?

PCI DSS requirements apply to all entities involved in payment card processing — including merchants, e-commerce brands, processors, acquirers, issuers and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data and/or sensitive authentication data. That is, the standard applies to all organizations that hold, process or pass cardholder information from any card branded with the logo of one of the card brands.

How to Know if Your Identity Verification Solution is PCI DSS Compliant

While it is not mandatory for online identity verification providers to comply with PCI DSS, consider the value of the data they are handling: legitimate government-issued IDs (e.g., passports and driver’s licenses). Criminals purchase images of these documents on the dark web and can inflict considerable damage with them, including opening new credit cards or getting a loan in the victim’s name. This means that online identity verification vendors are processing a great deal of valuable personally identifiable information (PII) that must be managed appropriately and strictly protected from potential data breaches.

PCI defines a 12-step process that vendors need to adhere to in order to demonstrate they are taking the necessary measures to avoid online access or compromises to their cardholder data environment (CDE). Failure to meet PCI compliance requirements could cause a retailer to face substantial penalties, which can exceed $500,000, depending on the volume of transactions processed.

Put simply, your identity verification provider should have a valid PCI-DSS Level 1 certificate. Requesting proof of this certificate will give you the assurance that their practices are up-to-date and validated by a reliable third party.

How Jumio Can Help

Jumio is PCI DSS Level 1 compliant. We regularly conduct security audits, vulnerability scans and penetration tests to ensure compliance with security best practices and standards. To demonstrate PCI compliance, a yearly on-site validation assessment by a QSA is carried out. Jumio carries the security controls established to achieve PCI compliance over to PII data, which is of comparable sensitivity, and has extended the scope of such controls to cover and protect all systems used to transmit, process and store PII data.

Jumio extracts, redacts (masks) and stores payment processors' credit card information while adhering to PCI DSS, reducing customers’ internal processing and operational costs. Because Jumio complies with PCI DSS's strict information security requirements, our customers can have greater confidence that their data — whether it's payment card data, PII or government-issued IDs — is handled in a secure manner throughout its lifetime.


Yes, PCI DSS requirements do involve multi-factor authentication. According to the PCI SSC, all remote access of the cardholder data ecosystem must be protected with multi-factor authentication.
The PCI DSS standards are set by the PCI Security Standards Council (PCI SSC), which was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. They ensure strong access control measures for stored cardholder data and have strict access management regulations. Additionally, they are trying to fight against malware, fraudsters, and other cybercriminals.
In order to remain compliant with PCI DSS requirements, a business needs to perform a vulnerability scan on their secure network once every 90 days. Because their system is storing sensitive data, a tool needs to conduct a scan to identify any security threats within their system components. This needs to be completed by an approved scanning vendor or qualified security assessor to assess your security system’s functionality and vulnerability management.

Get Started

Let a Jumio expert show you how easy it can be to integrate our automated identity proofing solutions into your existing processes.