PCI DSS Compliance
MyCardLiaison is certified as a PCI DSS Level 1 Service Provider — the highest level of compliance for organisations that process, store, or transmit cardholder data. Our annual audit is conducted by a Qualified Security Assessor (QSA).
What PCI DSS Level 1 Means
As a Level 1 provider, we are subject to the most stringent requirements of the PCI Data Security Standard. This includes an annual on-site audit by a QSA, quarterly network scans by an Approved Scanning Vendor (ASV), and penetration testing twice per year. Our Attestation of Compliance (AoC) is available to enterprise customers under NDA.
Cardholder Data Handling
MyCardLiaison never stores cardholder data (Primary Account Numbers, PINs, or CVVs) at rest. Card data submitted via the API is processed entirely in memory within our PCI-compliant environment and immediately discarded after the network response is received. No card data appears in our logs, databases, or backups.
Shared Responsibility
When you integrate with the MyCardLiaison API, your PCI compliance scope is significantly reduced. Because card data is transmitted directly to our API endpoint (not through your servers), you may qualify for a SAQ-A or SAQ-A-EP assessment rather than a full SAQ-D or on-site audit, depending on your integration method.
Network Tokenisation
For customers who require it, we offer a tokenisation service that replaces card numbers with stable, non-reversible tokens. This allows you to reference cards in your system without ever handling the raw PAN, further reducing your PCI scope.
Requesting Our AoC
Enterprise customers can request our Attestation of Compliance document for use in their own compliance audits. Contact compliance@mycardliaison.com with your company name and a brief description of your use case.