Security & PCI FAQ

Last modified: August 18, 2025

  • 1. Credit Card Data
  • 2. Payment Processors
  • 3. Card Holder Data
  • 4. Payment Related Data
  • 5. Sensative Card Data
  • 6. PCI DSS compliant
  • 7. Security Controls
  • 8. Third Party Audits
  • 9. Responsibility Matrix
  • 10. Documentation

1. Does ExpoGenie process or store credit card data?

No. We do not process, transmit, or store credit card numbers, CVV, or any sensitive payment data on our systems. All payment information is handled directly by PCI DSS Level 1-compliant third-party gateways (e.g., Stripe, Authorize.net, PayPal).

2. Which payment processors do you use?

We integrate with:

  • Stripe

  • Authorize.net

  • PayPal

All of these providers are PCI DSS Level 1 certified, which is the highest standard of cardholder data security.

3. Does cardholder data ever touch your servers?

No. We use hosted fields, redirects, or client-side tokenization provided by our payment partners. This ensures that credit card data never passes through our servers, APIs, logs, or storage systems.

4. Do you store any payment-related data?

We store only the following non-sensitive payment metadata:

  • Cardholder name
  • Transaction ID (returned by the gateway)
  • Client-specific payment gateway API keys, which are stored securely

We do not store card numbers, CVV, expiration dates, or magnetic stripe data.

5. Do your employees have access to sensitive card data?

No. None of our employees, including developers and support staff, have access to credit card numbers or CVV data. Some members of our team may access API keys for integration troubleshooting, but these are protected with strict access controls.

6. Are you PCI DSS compliant?

While we are not directly subject to PCI DSS, our payment architecture is designed to:

  • Keep us outside of PCI DSS scope by avoiding all interaction with cardholder data.
  • Leverage PCI-compliant third parties for all card processing.

We follow industry best practices to secure payment integrations and are prepared to provide documentation upon request (e.g., architecture diagrams, SAQ A applicability).

7. What security controls do you have in place?

  • End-to-end encryption of data in transit (TLS 1.2+)
  • Encryption at rest for sensitive configuration data (including API keys)
  • Access control policies (role-based access, least privilege)
  • Regular vulnerability scanning and patching
  • Secure software development lifecycle (SSDLC) practices
  • Cloud infrastructure security (network segmentation, IAM, audit logging)

8. Do you undergo any third-party audits or assessments?

We are currently preparing for external security assessments aligned with industry frameworks. While not PCI-audited ourselves, we integrate only with vendors who are PCI DSS Level 1 compliant.

9. What’s your role in a PCI DSS Responsibility Matrix?

We are a technology platform that enables our clients to process payments using their own payment gateway credentials. Responsibility for PCI DSS compliance rests primarily with:

  • The client’s payment processor
  • The client as the merchant of record Our responsibility is to maintain secure integration points and protect any configuration data (e.g., API keys).

10. Can you provide documentation to support this?

Yes. We can provide:

  • Payment architecture overview
  • System security overview
  • List of payment gateways and their PCI certificates