Learn what security means to us and how you can use wallee.com to significantly reduce your PCI scope when processing credit cards.
wallee.com has been audited by qualified auditor and is certified to PCI DSS Service Provider Level 1. This is the highest level of certification available in the payments industry. In order to reach this level of certification we have to make use of the best-in-class security tools and practices to maintain a high level of security.
Learn how wallee.com can significantly reduce your scope. wallee.com is a PCI DSS Level 1 compliant payment service provider. By using our service we ensure that sensitive card data never touches your server. This means we are contractually obliged to only work with PCI Level 1 compliant provider and you can yourself rely on our certification. This means you will only have to fill out an annual self-assessment questionnaire that consists of 12 questions.
In case you are a merchant that is accepting credit card payments online, your acquirer contractually requires you to comply with PCI DSS. Based on how the collection of payment data is handled in your online store, it can result in costly and time-intensive reviews that have to be done including massive investments in your security infrastructure. If you miss this and credit card data is stolen this will result in fines. By using our service we ensure that sensitive card data never touches your server. This means we are contractually obliged to only work with PCI Level 1 compliant provider and you can yourself rely on our certification.
All wallee.com users that process credit card payments have to be compliant with the PCI Data Security Standards (PCI DSS). The payment page and the iframe integration meet all the requirements and security constraints of the Self-Assessment Questionnaire (SAQ - A), by performing all transmission of sensitive cardholder data within the payment page or iframe served off of a wallee.com domain that is controlled by wallee.
All data wallee returns in the responses or webhooks is non-sensitive card information in the response to a charge request. This can includes the cardholder name, card type, the last four digits of the card, truncated card data and the expiration date. This information is not subject to PCI compliance, so you are able to store any of these properties in your database. However, this data is most likely subject to your country's data privacy law and in case you store it, make sure it is secured accordingly.
It is ultimately up to your merchant / acquiring bank what they ask you to provide to prove your PCI compliance. However, if you are using wallee.com you will rely on our PCI certification and complete the Self-Assessment Questionnaire (SAQ - A).
In case of additional questions regarding PCI compliance get in touch with our support.
All of your data is secruely encrypted on disk with the latest state-of-the-art encryption technology. Decryption keys are stored on separate machines. None of our internal servers and daemons are able to obtain plaintext card numbers, customer data or your configuration data.
Beside all caution we take in the development of our product, there
is still the chance that we miss something and oversee a critical
bug. This is why we ask you to communicate them to us asap.
Our security team rapidly investigates all reported security issues. If you believe you’ve discovered a bug in our security, please get in touch with our support (optionally using our general PGP key see below). We will respond as quickly as possible to your report.
We request that you do not publicly disclose the issue until it we have had a realistic chance to address the issue first.
In order to securely communicate with wallee we provide you with our public PGP Key. This key can also be used to verify our messages.
Here the most important details about our key:
C330 33E4 B583 FE61 2EDE 877C 05D0 2D3D 57AB FF46