The PCI Security Standards Council created the PCI Data Security Standard (DSS) to define a global information security standard for protection of payment cardholder data. Auka adheres to PCI DSS 3.2 Level 1. The PCI compliance covers all parts of operations carried out by Auka which is within the PCI Scope, including the Consumer Interface (App). The core components of the Auka infrastructure that are within the scope of PCI run on Google Cloud.
Each card’s data is encrypted with its own encryption key, managed using the Google Cloud Key Management Service. Auka does not store the card verification value (“CVV”). Cardholder data is stored in an insulated service, not directly accessible by the transaction processing software or the client apps. The only exception is when registering a new card through the app; then, communication is protected using up-to-date encryption ciphers and care is taken to only involve the card-storage service, not any other software.
This card-storage service, as well as the components in the apps that register card data, is subject to even stricter code review than usual: only a senior developer may approve changes, and only if it continues to comply with the PCI DSS.
Our procedures employ “defense in depth”, meaning that multiple layers of security guard development and operations, from employee permissions, through source control, review and deployment, to cloud access control. Employee identities and access are managed through GitHub and Google’s platforms, augmented by our own automatic and manual verification. Only senior developers may request a deployment, which is performed automatically by a locked-down system once two qualified seniors have co-signed.