Skip to main content
All CollectionsGeneral ConceptsPayments
Implement PCI DSS Compliance
Implement PCI DSS Compliance
Updated over 2 months ago

PCI DSS (Payment Card Industry Data Security Standard) is a global security standard created to protect cardholder data. PCI DSS standards specifically govern the protection of credit and debit card data and do not apply to ACH, SEPA, or other payment methods.

Spacebring is PCI DSS compliant at the SAC A level, meaning we use a third-party service provider, such as Stripe, to manage and store all sensitive payment data on behalf of our customers. Here’s what this compliance level means and the steps you can take to determine and meet your own PCI compliance needs.

Spacebring’s PCI Compliance

Spacebring does not collect, store, or process sensitive account data, such as full card numbers or CVV/CVC. Cardholder data is managed exclusively by the third-party service provider (TPSP)/payment processor (for example, Stripe) that you choose to connect to Spacebring.

Spacebring securely stores only the last 4 digits of the Primary Account Number (PAN) for your reference, which per PCI DSS Requirement 3.3.1 is not considered sensitive cardholder data. Even these four digits are safeguarded in accordance with PCI DSS data retention and access standards. For details on the measures Spacebring implements for PCI DSS compliance and the specific requirements we satisfy, please review our SAQ.

Download Spacebring PCI DSS SAQ

Determine Your PCI Compliance Level

Identifying your transaction volume will help you understand your PCI DSS responsibilities. For most Spacebring customers, compliance at PCI DSS Level 3 or 4 is likely due to card-not-present transactions and third-party data processing.

To comply with PCI DSS, please follow guidelines from your TPSP/payment processor:

Practical Compliance Steps

To further secure your payment environment with Spacebring, we recommend implementing the following measures:

  • Limit access to payment data to only essential personnel. Adjust administrator permissions to limit “Community” page access on a need-to-know basis.

  • Do not give administrator or owner roles to shared email accounts to prevent unauthorized access.

  • Immediately remove users with administrator roles from “Community” if they leave your organization.

  • Do not log in as administrator on devices accessible to the public. Physically secure devices you use to access Spacebring as administrator.

  • Add relevant payment data retention and operational procedures to your Terms and Privacy Policy.

For more information about PCI compliance, head to the PCI Security Standards Council website.

Related Articles
Manage privacy policy
Automate accounting with Xero
Troubleshoot Stripe payments
Understand and manage tracking notifications
Spacebring Glossary
Did this answer your question?