# PCI-DSS compliance

Data security is one of our highest priorities at Rebilly.

We go beyond industry standards to meet a high level of data security at every layer, from server hardening techniques and network segmentation to extensive data integrity logging, secure coding practices and rigorous testing.

As a level one service provider, to maintain PCI-DSS compliance we undergo a yearly audit of our security practices and policies, as well as bi-annual penetration testing, quarterly vulnerability scans, and more.
Our annual audit is completed by a third party auditor accredited by the PCI council.

You should maintain evidence that your service providers are compliant.
[Download our attestation of compliance](/assets/pci-dss-v4-0-1-aoc-rebilly-srl-august-2025.df23d366a48387039fa3f45a787f54fe9b90a860f28b547d70d9203f4ab7dcc2.09674ba3.pdf) as evidence of our compliance.
You should update these records every year.

Reduce security related expenses by offloading most of your PCI-DSS compliance burden to Rebilly.
This is done by leveraging our TOKENS API endpoint in conjunction with FramePay to avoid having payment information flow through your servers.

We recommend our [FramePay solution](/docs/dev-docs/framepay) to minimize your PCI DSS requirements.

Reduce your costs of compliance by varying degrees:

1. **Largest reduction:** By not accepting payment cards on your website by using a third-party hosted checkout page or FramePay.
  - Requires SAQ - A
2. **Significant reduction:** By using a javascript-only solution. You can still reduce the scope of compliance.
  - Requires SAQ - A-EP
3. **Small reduction:** By not storing the card data, but transmitting card data through your servers. Some sections not applicable.
  - Requires SAQ - D
4. **No reduction:** By transmitting and storing cardholder data through your servers. Will require an auditor if the transaction count is high enough.
  - Requires SAQ - D