PCI Compliance

This guide explains how PCI compliance is maintained using Amberflo without any additional configuration or work from the customer side.

PCI DSS (Payment Card Industry Data Security Standard) is an information security standard for using credit cards from major brands. It is administered by the Payment Card Industry Security Standards Council, and the standard applies to organizations that “transmits, stores, handles, or accepts credit card data”.

PCI compliance is a top-of-mind issue to any company launching billing for a new product or transitioning to a new billing platform. The negative results of noncompliance - reputational damage, loss of customer trust, and the regulatory penalties - are significant and entirely avoidable with a sound strategy and reliable partner.

Since Amberflo does not store any privileged customer data such as payment method information, there is no risk of noncompliance with PCI standards using Amberflo.

Payment information is handled and payments are processed via Stripe or cloud marketplaces such as AWS Marketplace. Amberflo simply initiates the payment when the invoice is delivered.

To make this work while remaining compliant, a customer record is created in Amberflo and in the payment processor (we’ll say Stripe for simplicity). The customer record in Stripe contains the payment method information and Stripe is certified with the highest level of PCI compliance (Level One). Each customer in Stripe is given a unique ‘Stripe-ID’, this is the field that is used in Amberflo to connect the Amberflo customer (where usage is tracked and the invoice is calculated) and the Stripe customer (where payments are made).

It is important to note that anything returned by Stripe APIs is safe to store without impacting PCI compliance. This can include data such as the card type, last 4 digits, and expiration date, as well as the customer name and zip code, for example.