Is AAM PCI compliant? If so is there any documentation?
Is it possible to be PCI compliance to perform an ID sync on payment systems?
Audience Manager never stores Personally Identifying Information (PII) or credit card data anywhere in the Audience Manager network since customers are not allowed to send it to us as per contractual agreement so PCI would not be applicable to it.
Essentially, we don’t view AAM as being in scope for PCI, or being PCI certified, as we’re not storing PCI data, and we explicitly prohibit PCI data from being stored in the system, per the contract.
The customer themselves may be required to show documentation to PCI auditors regarding AAM interactions if they use it as part of a page that works with credit card data.
Ultimately it's the customer who is responsible for maintaining said PCI compliance and ensuring they are within the guidance of PCI.
What is PCI Compliance?
PCI complaint systems adheres to Payment Card Industry Data Security Standard (PCI DSS). This is a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information.
Expectation from AAM to be PCI complaint:
Client expects AAM to be PCI complaint so that they can perform the ID sync while online payment processes, which is required to be secured.