Ory has achieved PCI DSS compliance. Discover how our certified identity infrastructure helps your team slash audit times and scale confidently.
How Apple broke "Sign in with Apple" with an unannounced and silent redirect
We are thrilled to announce that Ory has officially achieved PCI DSS (Payment Card Industry Data Security Standard) compliance.
As a leader in identity and access management (IAM), security isn’t just a feature for us—it’s the foundation of everything we build. That’s why we pursued and have achieved PCI DSS SAQ D for Service Providers, assessed by BARR. This milestone underscores our commitment to providing the most secure, reliable, and compliant infrastructure for your user data.
"Achieving PCI DSS compliance reflects Ory's ongoing commitment to operational excellence and security rigor," said Jeff Kukowski, CEO of Ory Corp. "Our customers trust us to secure identities at scale, and this milestone provides additional assurance that the controls, processes, and governance behind the Ory platform meet demanding industry standards. PCI DSS compliance is another step in our broader strategy to help organizations build secure, scalable, and compliant identity experiences for customers, employees, partners, and AI agents."
The Payment Card Industry Data Security Standard (PCI DSS) is a rigorous set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. It is managed by the PCI Security Standards Council (PCI SSC). PCI DSS SAQ (Self-Assessment Questionnaire) D for Service Providers is considered the longest and most rigorous SAQ, evaluating adherence to all 12 PCI DSS requirements.
No. Ory does not store or process financial cardholder data. However, because Ory handles identity and access management (IAM) for applications that process payments, achieving PCI DSS compliance ensures that our infrastructure meets the stringent security controls required to operate safely within a PCI-compliant ecosystem.
If your business needs to maintain PCI DSS compliance, every vendor in your tech stack matters. Ory’s compliance significantly simplifies your own auditing processes.
To achieve compliance, Ory completed PCI DSS SAQ D for Service Providers, with BARR Advisory as our Qualified Security Assessor (QSA) evaluating our systems against the PCI DSS framework. This included:
We believe in transparency. Enterprise customers looking to review our Attestation of Compliance (AoC) for their own auditing purposes can request access by contacting their account manager or reaching out through the Ory Trust Center.
With PCI DSS compliance added to our robust security posture, there has never been a better time to scale your identity infrastructure with Ory. Whether you are using Ory Network, Ory Enterprise License, or our open-source ecosystem, we’ve got your back.
Talk to an expert about your compliance needs today.
