PCI Certificate of Complaince

CERTIFICATION · PCI DSS

Independent QSA assessment completed across all control domains

Shufti holds PCI DSS certification assessed by a qualified security assessor (QSA), an independent, PCI Council-approved auditor who validated Shufti controls through evidence review, technical testing, and interviews. When you integrate Shufti, you are integrating a platform independently audited against the same standard your own card-processing infrastructure must meet.

Request a demo Contact Us

What PCI DSS Is

PCI DSS (Payment Card Industry Data Security Standard) is a global security standard governing any organisation that stores, processes, or transmits payment card data. It is enforced by the PCI Security Standards Council and covers 12 requirements across 6 security domains. Two versions matter for Shufti integrations.

The 12 Control Requirements

Network security, data protection, vulnerability management, access control, monitoring, and information security policy. A QSA validates each domain against live production evidence, firewall configurations, encryption implementations, access logs, patch records, penetration test results, and incident response procedures.

PCI DSS 4.0 (March 2025)

PCI DSS 4.0 added requirements many platforms are still catching up on: MFA enforcement for all cardholder data environment access, enhanced audit logging, and targeted risk analysis. These requirements became mandatory in March 2025. Shufti already met them before the deadline, they were in place before it was required.

Why It Matters

If your verification workflow touches payment or financial data, and for most fintech, banking, and e-commerce deployments it does, any vendor in that pipeline without PCI DSS certification introduces compliance liability into your own cardholder data environment. A QSA assessing your infrastructure will ask about third-party vendors.

We can give your QSA our Attestation of Compliance (AoC) directly

This reduces the scope of their assessment of the Shufti integration layer, instead of your team independently validating Shufti controls, they accept the AoC as evidence. That saves time and cost in your next PCI audit cycle.

$100K/Month

Maximum PCI non-compliance fine, before forensic audit costs, which run up to $500K separately. Shufti's AoC removes us as a compliance liability in your QSA's scope.

How Shufti Maintains IT

Shufti's PCI DSS Attestation of Compliance is issued by the QSA following each annual assessment. All data in transit uses TLS 1.2 minimum; all stored identity document images and biometric data use AES-256 encryption. MFA is enforced at every access point to the cardholder data environment, auditable in access logs reviewed during the QSA assessment.

We run quarterly vulnerability scans and annual penetration testing between QSA cycles. Evidence of both is included in the AoC documentation package.

Certification Details

Assessed by

Independent PCI Council-approved Qualified Security Assessor (QSA).

Version

PCI DSS 4.0, all 12 requirements, all 6 security domains.

Scope

Identity document processing, biometric data, and verification output pipeline.

Assessment type

Independent QSA assessment, not self-assessed.

What you get

Attestation of Compliance (AoC) available directly for your QSA on signed request.