Learn more about Twilio and PCI:
1. What is PCI DSS? Is Twilio PCI DSS certified?
A: The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid and ATM cards. All merchants that process credit cards must be PCI compliant. More information is available on the official PCI website.
Twilio is a PCI-compliant merchant and can securely accept credit card payments for its services. Apps built with Twilio are not covered under Twilio's compliant status as a merchant. Twilio recommends that customers seek guidance from their legal counsel for any compliance questions concerning their applications.See questions below for further details.
2. If a business application built on Twilio takes credit, debit or prepaid card data does it have to be PCI compliant?
A: Yes. According the the official PCI website, if a customer application processes, transmits or stores credit, debit or prepaid card data, then they are responsible for ensuring that their application is PCI compliant. Merely using Twilio for customer transactions does not exclude any company from PCI compliance regulations, as PCI compliance obligations apply to all organizations and merchants, regardless of size or number of transactions, that accept, transmit or store any cardholder data.
3. What can a business do and keep their Twilio application workflows PCI compliant? A: Many businesses have architected their applications in a PCI compliant manner, while still using Twilio for part(s) of their workflow. The key is to avoid processing, storing and transmitting cardholder data on Twilio. Some techniques that customers have used are as follows:
- Verifying a customer’s account using only the last few digits of the PAN via voice, SMS (short messaging services) or DTMF (dual tone multi frequency) dialing.
- Ensuring that the customer application never transmits entire cardholder data over unencrypted channels including voice, SMS or DTMF. If this is necessary, an online solution or landline implementation should be developed.
- The PCI rules for VOIP are the same as mentioned above for DTMF. When collecting DTMF via VOIP, the signaling and media transmission must both occur over secured networks (TLS/IPSec and SRTP).
- Not retaining sensitive authentication data after authorization
- For telephone operations, "sensitive authentication data" means the CAV2/CVC2/CVV2/CID and/or PIN values that may be taken during a telephone call."
Also, the list above is not meant to be comprehensive or replace the PCI standards and guidelines described above. Customers will need to ensure that their applications meet those guidelines. As always, Twilio recommends that customers seek guidance from their legal counsel if they have any compliance questions concerning their applications.
4. What is considered as ‘cardholder data’? Does Twilio store ‘cardholder data’ (CDH)?
A: According to the PCI website, cardholder data is any personally identifiable data associated with a cardholder. This could be an account number, expiration date, name, address, social security number, etc. All personally identifiable information associated with the cardholder that is stored, processed, or transmitted is also considered cardholder data. Cardholder Data is Full magnetic stripe or the PAN plus any of the following:
- Primary Account Number (PAN)
- Cardholder Name
- Service Code
- Expiration Date
- What is considered Sensitive Authentication Data (SAD)?
- Full Magnetic Stripe Data
- PIN/PIN Block