ScyllaDB PCI-DSS Compliance

ScyllaDB Cloud is fully compliant and audited against PCI-DSS version 4.0 for Service Providers.

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard used to handle credit cards from major card brands. The standard is administered by the Payment Card Industry Security Standards Council, and its use is mandated by the card brands.

ScyllaDB has a standing practice of compliance with PCI-DSS through its annual certification as proof of our commitment to reducing risks of data breaches, financial losses, and the reputational damage that this could inflict on our customers and ScyllaDB. While ScyllaDB does not store, process, or transmit CC data, its services (the databases it provides its clients as a service) may include such data and use in their processing, storage, or transmissions.

What is PCI-DSS?

The Payment Card Industry Data Security Standard (PCI-DSS) is a global standard for any business that accepts, processes, stores, transmits, or impacts CC cardholder data security.

Which ScyllaDB Products and Services are PCI-DSS certified?

The PCI-DSS certification covers ScyllaDB Cloud, a fully managed database-as-a-service.

What type of PCI-DSS certification have you received?

The certification is PCI DSS Audit for version 4.0 Service Provider.

What is the scope of the ScyllaDB PCI-DSS Certification?

The PCI-DSS certification specifically covers the ScyllaDB Cloud control plane. It does not cover Bring Your Own Account (BYOA) options or the ScyllaDB Cloud data plane (optionally and voluntarily covered by downstream customers with their customers if warranted). Further, it does not cover our subscription licenses for ScyllaDB Enterprise or our Open-Source Software.

What regions are covered by the ScyllaDB PCI-DSS Certification?

The report covers all regions that are available or used in ScyllaDB Cloud services.

What is the certification period for the most recent report, and how often does ScyllaDB recertify its PCI-DSS compliance?

ScyllaDB undergoes assessment and recertification annually. The most recent ScyllaDB assessment for certification was undertaken between June 13th, 2024, and July 8th, 2024. The resulting certification is valid through July 2025.

How and under what circumstances does ScyllaDB use Credit Card information?

When a user (customer) is interested in paying for the services provided through ScyllaDB Cloud, they open a web browser and insert CC details, the API charges it, and a token is received. Customers subscribing to the services insert CC data for their billing, and the billing token is the only thing used (a fully compliant PCI-DSS third-party services, STRIPE and Recurly, is used to charge the services for pay-as-you-go customers). Many customers switch to or initially opt for long-term contracts and work with sales and their billing departments, bypassing CC information handling.

Who is the Qualified Security Assessor (QSA) for ScyllaDB?

ScyllaDB uses GRSEE as our independent QSA.

Where can I download the ScyllaDB Cloud PCI-DSS certification?

You can download the current certification here.

Why ScyllaDB?

Is ScyllaDB right for me?

ScyllaDB University

ScyllaDB Blog

ScyllaDB PCI-DSS Compliance

Start scaling with the world's best high performance NoSQL database.