ScyllaDB Vector Search Early Access. Powering real-time AI, recommendations, and RAG at scale. Learn more

ScyllaDB PCI-DSS Compliance

ScyllaDB Cloud is fully compliant and audited against PCI-DSS version 4.0 for Service Providers.

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard used to handle credit cards from major card brands. The standard is administered by the Payment Card Industry Security Standards Council, and its use is mandated by the card brands.

ScyllaDB has a standing practice of compliance with PCI-DSS through its annual certification as proof of our commitment to reducing risks of data breaches, financial losses, and the reputational damage that this could inflict on our customers and ScyllaDB. While ScyllaDB does not store, process, or transmit CC data, its services (the databases it provides its clients as a service) may include such data and use in their processing, storage, or transmissions.

pci security standards council logo

The Payment Card Industry Data Security Standard (PCI-DSS) is a global standard for any business that accepts, processes, stores, transmits, or impacts CC cardholder data security.

The PCI-DSS certification covers ScyllaDB Cloud, a fully managed database-as-a-service.
The certification is PCI DSS Audit for version 4.0 Service Provider.
The PCI-DSS certification specifically covers the ScyllaDB Cloud control plane. It does not cover Bring Your Own Account (BYOA) options or the ScyllaDB Cloud data plane (optionally and voluntarily covered by downstream customers with their customers if warranted). Further, it does not cover our subscription licenses for ScyllaDB Enterprise or our Open-Source Software.
The report covers all regions that are available or used in ScyllaDB Cloud services.
ScyllaDB undergoes assessment and recertification annually. The most recent ScyllaDB assessment for certification was undertaken between June 13th, 2024, and July 8th, 2024. The resulting certification is valid through July 2025.
When a user (customer) is interested in paying for the services provided through ScyllaDB Cloud, they open a web browser and insert CC details, the API charges it, and a token is received. Customers subscribing to the services insert CC data for their billing, and the billing token is the only thing used (a fully compliant PCI-DSS third-party services, STRIPE and Recurly, is used to charge the services for pay-as-you-go customers). Many customers switch to or initially opt for long-term contracts and work with sales and their billing departments, bypassing CC information handling.
ScyllaDB uses GRSEE as our independent QSA.

You can download the current certification here.