PCI DSS Compliance

Last Revised: October 21, 2020

The Payment Card Industry Data Security Standard (PCI DSS) is a set of industry-mandated requirements that apply to any business that handles, processes, or stores credit cards, regardless of the business’s size or location.

Kong does NOT store any secure financial data by default

With a payment processing API served through Kong, depending on your setup, you should consider the following scenarios:

  • Proxying Payment Data: Falls under the criterion of “processing”.
  • Logging & Analytics: A logging plugin might store credit card data on disk or a remote location (given your API configuration); this would trigger the “storage” criterion.
PCI DSS compliance is dependent on the configuration and usage of your Kong installation

You will still need to complete an annual Self-Assessment Questionnaire (SAQ) in order to be PCI compliant. There are several different types of SAQs, and a Qualified Security Assessor (QSA) can help you choose the right one for your business and achieve compliance.