The gold standard for payment card security — validated by a QSA every year since 2019, and embedded into how we build.
PCI DSS Level 1 is the most stringent tier of Payment Card Industry Data Security Standard compliance — reserved for processors handling 6M+ Visa/MasterCard transactions annually.
Payment card numbers, expiration dates, and CVV codes never touch your servers. They are tokenized at the browser and stored only in Leadquora's certified vault.
A Qualified Security Assessor inspects our controls, interviews engineers, reviews code, tests systems, and issues our Attestation of Compliance (AOC) every 12 months.
Approved Scanning Vendor externally scans our external attack surface every 3 months. Critical findings require 30-day remediation.
Only a small number of vetted engineers have access to production vault infrastructure — access is logged, reviewed monthly and requires hardware keys.
Every administrative action and every access to cardholder data is logged to a tamper-evident audit trail retained for a minimum of 1 year (7 for SOC 2).
Cardholder data environment (CDE) is physically and logically isolated from the rest of our infrastructure. No shared VPCs. No shared keys. No shared credentials.
Building on top of Leadquora means your own PCI burden drops to the easiest form — SAQ A.
| PCI Requirement | Without Leadquora | With Leadquora |
|---|---|---|
| Merchant SAQ form | SAQ D (300+ questions) | SAQ A (24 questions) |
| Quarterly ASV scans | Required | Handled by us |
| Vault infrastructure | Self-managed | PCI L1 vault included |
| Annual audit prep | Weeks of prep | Hours |
| Breach liability | Full merchant | Dramatically reduced |
Enterprise customers and auditors can request our current AoC, SAQ D-SP and ROC under NDA.