Credit Cards and PCI compliance
At LearnWorlds, we prioritize the security of your payment information by adhering to PCI-DSS (Payment Card Industry Data Security Standard) guidelines. This ensures that all credit card transactions are handled securely, helping to protect your sensitive data and prevent fraud.
LearnWorlds itself does not store, process, or transmit any credit card information. Instead, we rely on trusted payment gateway providers, such as Stripe and PayPal, to manage all credit card data securely. These providers are PCI DSS Level 1 Service Providers—the highest level of compliance—which means they meet the stringent security standards set by the PCI Security Standards Council, a joint effort by major credit card companies like Visa, MasterCard, American Express, and Discover.
By partnering with these industry leaders, we ensure that all transactions conducted through our platform are secure. You can learn more about Stripe's security here and Paypal’s here.
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a global standard of security guidelines designed to protect payment card data. It is administered by the PCI Security Standards Council (PCI SSC). Compliance with PCI DSS demonstrates a commitment to safeguarding financially sensitive customer information and helps build trust and credibility within the payment ecosystem.
PCI DSS applies to any entity that stores, processes, or transmits cardholder data (CHD) or sensitive authentication data (SAD). This includes merchants, payment processors, acquirers, issuers, service providers, and any other organization involved in the payment card industry. The standard outlines various compliance levels based on the volume of transactions a business processes annually.
The latest version, PCI DSS Version 4.0 Revision 2, was published in July 2023.
LearnWorlds' Responsibilities Under PCI DSS
In the context of PCI DSS, the term "processing transactions" refers to the handling of cardholder data during payment transactions. This includes collecting, storing, transmitting, or processing credit card information. However, LearnWorlds does not handle cardholder data directly. Instead, we rely on third-party payment gateways, such as Stripe, to manage card payments securely.
The PCI DSS does account for situations where platforms or services act as intermediaries or pass-through entities. Based on this setup, a payment gateway (such as Stripe) would be considered the payment processor, responsible for securely handling all sensitive payment data. At the same time, LearnWorlds is classified as a merchant that facilitates transactions through these compliant payment processors. This shared responsibility ensures that cardholder data is protected, while LearnWorlds focuses on providing a secure platform for its users.
- LearnWorlds as a Platform: LearnWorlds does not store, process, or transmit cardholder data directly. Instead, LearnWorlds uses the payment gateway’s features to capture payment information securely and then passes this information directly to the payment gateway. The key here is that LearnWorlds does not have access to or retain any of the financially sensitive payment information (e.g., credit card numbers). This makes LearnWorlds a facilitator or "pass-through" entity, not a payment processor in the PCI DSS sense.
- The Payment Processor: The payment processor (i.e. Stripe or Paypal) is the entity responsible for actually processing the transactions, meaning they handle the secure transmission, storage, and processing of cardholder data. Since the payment gateways that LearnWorlds supports are PCI DSS Level 1 compliant (the highest level of compliance), they take on the full burden of ensuring the safety and compliance of cardholder data.
- LearnWorlds falls under the PCI DSS SAQ-A category (Self-Assessment Questionnaire A), which is for entities that outsource all cardholder data functions to third-party providers and do not electronically store, process, or transmit any cardholder data themselves. LearnWorlds is responsible for ensuring that the third-party processor you use is compliant, and for maintaining secure integrations (e.g., securely implementing Stripe Elements)