pci dss complaint

Arize AI Achieves Payment Card Industry Data Security Standard 4.0 Certification

jim groff compliance officer arize ai

Jim Groff

Compliance Officer

Today, we are proud to formally announce that Arize AI completed the Payment Card Industry Data Security Standard (PCI DSS) 4.0 certification. Recently updated to address emerging threats and attack vectors, PCI DSS 4.0 is a global standard that provides a baseline of technical and operational requirements designed to protect account data.

With credit card fraud and identity theft on the rise, that task is more important than ever.

Why Did Arize Pursue PCI DSS 4.0 Certification?

Although the Arize AI platform does not directly process credit card transactions, many of our customers do – making it possible they could ingest credit card information into the platform.

Arize is considered a service provider by definition of the standard, and could potentially have access to or impact the security of ingested cardholder data. As such, we pursued the PCI DSS 4.0 Certification for a Level 1 Service Provider – providers that store, process, or transmit more than 300,000 credit card transactions annually.

In meeting the requirements for the PCI DSS 4.0 standard, Arize AI has demonstrated the compliant controls and mechanisms in place to properly safeguard data entrusted to us by our customers and users.

Arize AI opted to become PCI DSS 4.0 compliant not by obligation, but as a conscious choice to better protect and safeguard our customers’ data. Arize is committed to continually maintaining or exceeding the standards required by the PCI leadership as well as our own policies that exceed these requirements.

What Is PCI DSS?

PCI DSS was developed by the Payment Card Industry Security Standards Council (PCI SSC), which was formed by American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. in 2006.  The primary goal of the council is managing the ongoing evolution of the Payment Card Industry Data Security Standard.

PCI Security Standards are developed specifically to protect payment account data throughout the payment lifecycle and to enable technology solutions that devalue this data and remove the incentive for criminals to steal it. They include standards for merchants, service providers like Arize AI, and financial institutions on security practices, technologies, processes, and standards for developers and vendors for creating secure payment products and solutions.

The six major principles of PCI DSS are:

  1. Build and maintain a secure network
  2. Protect cardholder data
  3. Maintain a vulnerability management program
  4. Implement strong access control measures
  5. Regularly monitor and test networks
  6. Maintain an information security policy

From these principles, the PCI SSC developed 12 core requirements for the standard, each with a subset of specific requirements that must be met to achieve certification. The requirements set forth by the PCI SSC are both operational and technical, and the core focus of these rules is to protect cardholder data at all times. The 12 requirements are to: install and maintain a firewall configuration to protect cardholder data; not use vendor-supplied defaults for system passwords and other security parameters; protect stored cardholder data; encrypt transmission of cardholder data across open, public networks; use and regularly update anti-virus software or programs; develop and maintain secure systems and applications; restrict access to cardholder data by business need to know; assign a unique ID to each person with computer access; restrict physical access to cardholder data; track and monitor all access to network resources and cardholder data; regularly test security systems and processes; and maintain a policy that addresses information security for all personnel.

Learn More About Security at Arize

As always, safeguarding data remains a core function at Arize – fundamental to how we earn and maintain the trust of users, customers, and partners. Other industry certifications received over the past year include SOC 2 Type II compliance, independent validations of health information security for HIPAA compliance and a Cloud Security Alliance Registry Level 1 Self-Assessment.

To learn more about security at Arize or to obtain a full copy of the PCI DSS 4.0 report, visit the Arize Trust Center or reach out directly in the Arize community.