Oceanpayment Developer

Overview

As a global payment service provider, Oceanpayment places security and compliance at the heart of everything we do. Our ongoing commitment to PCI DSS (Payment Card Industry Data Security Standard) compliance is central to providing our customers with a secure and trustworthy payment environment. Below, we provide a comprehensive overview of Oceanpayment’s PCI DSS practices.

PCI DSS Overview

PCI DSS is a global security standard established by the PCI Security Standards Council (PCI SSC) and maintained by the five major card networks: Visa, Mastercard, American Express, Discover, and JCB. It is designed to safeguard cardholder data throughout the entire payment ecosystem—including storage, processing, and transmission—reducing the risk of data breaches and payment fraud. Any organization that stores, processes, or transmits payment card data must comply with PCI DSS. The standard includes six control objectives, twelve core requirements, and over 300 security controls.

Oceanpayment PCI DSS Commitment

From day one, we have prioritized payment security, achieving and maintaining PCI DSS Level 1 certification the highest level available in the industry—for multiple consecutive years. This demonstrates that our payment systems, network architecture, data processing workflows, and security policies undergo rigorous annual audits by PCI SSC–qualified security assessors (QSAs), meeting the most stringent security requirements in the global payment industry.

Core Certification Information

Certification Item	Details
Certification Level	PCI DSS Level 1 (highest level)
Certification Status	Continuous compliance, validated annually
Certification History	Certified since our founding in 2014 and continuously maintained
Latest Version	PCI DSS v4.0 (v3.2.1 retired on March 31, 2024)

Compliance Practices and Security Controls

PCI DSS v4.0, effective April 1, 2024, replaced v3.2.1. Its goals are to provide robust protection for account data, clarify organizational responsibilities in safeguarding this data, and address emerging threats using innovative approaches. Oceanpayment actively follows these updated standards, implementing comprehensive security controls across the following areas:

Building and Maintaining Secure Networks and Systems

Firewall configuration: Install and maintain firewalls to protect the Cardholder Data Environment (CDE).
System security parameters: Avoid default system passwords and security settings provided by vendors; configure systems to prevent misconfigurations.

Protecting Cardholder Data

Data encryption: Encrypt cardholder data transmitted over public networks using strong encryption. Adopt more robust encryption and key management strategies, such as using strong encryption keys and key hashing for storing the primary account number (PAN), etc.
Data storage protection: Protect stored cardholder data to ensure its confidentiality and integrity.

Maintaining a Vulnerability Management Program

Malware protection: Protect all systems from malicious software and regularly update antivirus tools.
Secure systems and applications: Develop and maintain secure systems and applications, including removing test data and accounts before production deployment.

Implementing Strong Access Control Measures

Access restriction: Limit access to cardholder data based on a strict need-to-know basis.
Unique identification: Assign a unique ID to every person with computer access.
Multi-factor authentication (MFA): Version 4.0 strengthens MFA requirements; any access to the CDE now requires MFA, not just administrative access.
Physical access control: Restrict physical access to cardholder data.

Regularly Monitoring and Testing Networks

Tracking and monitoring: Monitor all access to network resources and cardholder data. Version 4.0 enhances logging and monitoring, providing more comprehensive cross-environment visibility and automated log reviews.
Security testing: Regularly test security systems and processes, including external and internal penetration testing, and remediate any exploitable vulnerabilities.

Maintaining an Information Security Policy

Security policies: Maintain policies addressing all personnel-related information security concerns.

Value of Oceanpayment Compliance

For merchants using Oceanpayment services, our PCI DSS Level 1 compliance delivers multiple critical benefits:

Reduced compliance burden: Leveraging Oceanpayment’s certified payment interfaces significantly reduces the scope of PCI assessments for your own systems. Merchants can often use simplified Self-Assessment Questionnaires (SAQs), such as SAQ A or SAQ A-EP, streamlining the compliance process.
Enhanced customer trust and brand reputation: PCI DSS compliance demonstrates to your customers that you take their payment data security seriously, reinforcing trust and brand credibility.
Lower risk and potential losses: Following PCI DSS standards reduces the likelihood of data breaches and fraud, helping avoid fines, business disruption, and reputational damage.
Support for global business expansion: PCI DSS is recognized worldwide. Compliance helps merchants meet security requirements across different markets, supporting international growth.

Overview​

PCI DSS Overview​

Oceanpayment PCI DSS Commitment​

Core Certification Information​

Compliance Practices and Security Controls​

Building and Maintaining Secure Networks and Systems​

Protecting Cardholder Data​

Maintaining a Vulnerability Management Program​

Implementing Strong Access Control Measures​

Regularly Monitoring and Testing Networks​

Maintaining an Information Security Policy​

Value of Oceanpayment Compliance​