Last updated: February 2026
At ThunderTix, security is not a checkbox—it’s a commitment. We proudly completed the PCI DSS v4.0 Self-Assessment Questionnaire D (SAQ-D) for Service Providers in February 2026, meeting the most stringent requirements in the industry.
This page outlines how we protect your data, comply with global standards, and support your organization’s security posture.
PCI Compliance
ThunderTix is officially compliant with PCI DSS v4.0 SAQ-D for Service Providers, the highest-level self-assessment designated for vendors who:
- Integrate with payment providers
- Could affect the Cardholder Data Environment (CDE)
- Must verify secure infrastructure and software practices
Key highlights from our 2026 attestation:
- No storage or handling of cardholder data (CHD) or sensitive authentication data (SAD)
- All payment data is tokenized via PCI Level 1-compliant providers: Stripe, Square, Elavon, Authorize.net, Moneris, and Braintree
- Payment is conducted exclusively through secure JavaScript iFrames or certified card readers (BBPOS, WisePOS, Square Terminal, etc.)
- Quarterly external vulnerability scanning (ASV) through HackerGuardian
- Security testing through Intruder
Platform & Network Security
- Cloudflare DDoS & WAF: All inbound traffic is filtered through advanced security layers
- TLS 1.2+ Encryption: All traffic is encrypted in transit
- Zero Cardholder Data: No credit card info is stored, processed, or passed through our servers
- Managed endpoints (employee devices, production access) have endpoint protection
- Supported card readers must be PCI-validated models with up-to-date firmware per vendor guidance (but clarify ownership/control).
- Quarterly vulnerability scans performed and documented as part of PCI compliance
HECVAT & Data Privacy
We provide a completed HECVAT security assessment for universities and public institutions.
- Compliant with GDPR, CCPA, and U.S. data protection frameworks
- No personal data sold or shared with third parties
- Full support for data subject access requests, opt-outs, and data deletion
- Customizable Data Processing Addendum (DPA) available
Dev & Infrastructure Practices
- Role-based access: Only authorized team members can access production systems
- CI/CD with secure code reviews
- Penetration testing conducted and patch management policies in place
- ThunderTix is hosted on AWS (App Runner)
Incident Response & Business Continuity
- Formal Incident Response Plan (IRP) with defined escalation and notification protocols
- Quarterly drills to verify preparedness
- 99.95% uptime SLA and robust failover infrastructure
Third-Party Trust Chain
ThunderTix integrates exclusively with PCI Level 1–compliant payment processors and hardware-validated readers—ensuring secure, tokenized payments across desktop, web, and mobile environments.
| Provider | Function | PCI Level 1 | Tokenization | Validated Devices |
|---|
| Stripe | Payment Processing | ✅ | ✅ | Stripe M2, WisePOS E, BBPOS Chipper 2X (iOS/Android) |
| Square | Payment Processing | ✅ | ✅ | Square Terminal, Square Reader (iOS/Android) |
| Braintree | Payment Gateway | ✅ | ✅ | – |
| Elavon | Payment Gateway | ✅ | ✅ | – |
| Authorize.net | Payment Gateway | ✅ | ✅ | – |
ThunderTix mobile apps integrate with Stripe’s official iOS and Android SDKs to securely accept payments using the M2, WisePOS E, and BBPOS readers—all of which are PCI SSC–validated.
Need Docs for Procurement?
We’ll gladly provide the following upon request:
- PCI DSS SAQ-D Service Provider (2026)
- HECVAT
- Data Processing Addendum
- Infrastructure & incident response summaries
- Accessibility (VPAT)
- Future SOC 2 roadmap