a year ago
I'm building a product and the payment gateway demands that my app is PCI-DSS compliant, but most of the criteria for it seems to be server security oriented + networking.
If I use Railway for production, can I just say I'm PCI-DSS compliant?
1 Replies
a year ago
Hey there!
The fact you are using Railway to host your application will not inherently make you PCI-DSS compliant. Using Railway could form a part of the wider framework in which you prove PCI-DSS compliance, but the company who owns the product which is required to be PCI-DSS compliant must follow all the steps outlined here in order to prove compliance: https://www.indeed.com/career-advice/career-development/how-to-get-pci-compliance-certification
Usually the minimum is quarterly security scans, which will vary based on your infrastructure, as well as a self-assessment questionnaire (SAQ) or report on compliance (ROC). If you are unclear on any of this, you should engage the services of a PCI Compliance Consultant to understand how you can meet the criteria within the specifics of your business.