PCI DSS Compliance
Zyrix maintains compliance with the Payment Card Industry Data Security Standard (PCI DSS), the security standard established by the major card networks to protect cardholder data. Our infrastructure is engineered so that sensitive card data is protected at every stage and so that merchants building on Zyrix inherit the benefits of our compliance.
1. Certification Level
Zyrix is certified as a PCI DSS Level 1 service provider—the highest level of validation under the standard—and undergoes annual assessment by a Qualified Security Assessor (QSA).
2. Cardholder Data Protection
Card data is tokenized at the point of entry and is never stored in raw form on our systems. We apply strong encryption to data in transit and at rest, and we restrict access to sensitive data on a strict need-to-know basis.
3. What Merchants Inherit
By routing card data through Zyrix's compliant infrastructure—using our hosted and embedded checkout and tokenization—merchants significantly reduce their own PCI scope and, in many integration patterns, may qualify for a simplified Self-Assessment Questionnaire (SAQ A).
4. Merchant Responsibilities
Merchants remain responsible for the security of their own systems, credentials, and any environment that touches cardholder data outside Zyrix's tokenized flow. We provide guidance to help merchants maintain their portion of the shared-responsibility model.
5. Assessments and Testing
Our program includes annual QSA assessment, quarterly vulnerability scans by an Approved Scanning Vendor (ASV), regular penetration testing, secure development practices, and continuous monitoring.
6. Additional Assurance
We complement PCI DSS with an independent SOC 2 Type II audit covering security, availability, and confidentiality controls.
7. Reporting a Vulnerability
We welcome responsible disclosure. Suspected vulnerabilities may be reported to security@zyrix.co, and we will acknowledge and investigate reports promptly.