At ThunderTix, security is not a checkbox—it’s a commitment. We proudly completed the PCI DSS v4.0 Self-Assessment Questionnaire D (SAQ-D) for Service Providers in January 2025, meeting the most stringent requirements in the industry.
This page outlines how we protect your data, comply with global standards, and support your organization's security posture.
PCI Compliance
ThunderTix is officially compliant with PCI DSS v4.0 SAQ-D for Service Providers, the highest-level self-assessment designated for vendors who:
Integrate with payment providers
Could affect the Cardholder Data Environment (CDE)
Must verify secure infrastructure and software practices
Key highlights from our 2025 attestation:
No storage or handling of cardholder data (CHD) or sensitive authentication data (SAD)
All payment data is tokenized via PCI Level 1-compliant providers: Stripe, Square, Elavon, Authorize.net, Moneris, and Braintree
Payment is conducted exclusively through secure JavaScript iFrames or certified card readers (BBPOS, WisePOS, Square Terminal, etc.)
Verified by external Approved Scanning Vendors (ASVs): Intruder and HackerGuardian
Platform & Network Security
Cloudflare DDoS & WAF: All inbound traffic is filtered through advanced security layers
TLS 1.2+ Encryption: All traffic is encrypted in transit
Zero Cardholder Data: No credit card info is stored, processed, or passed through our servers
Endpoint Protection: All systems, including mobile readers, follow vendor security guidelines and validated firmware versions
Quarterly vulnerability scans performed and documented as part of PCI compliance
HECVAT & Data Privacy
We provide a completed HECVAT Lite security assessment for universities and public institutions.
Compliant with GDPR, CCPA, and U.S. data protection frameworks
No personal data sold or shared with third parties
Full support for data subject access requests, opt-outs, and data deletion
Customizable Data Processing Addendum (DPA) available
Dev & Infrastructure Practices
Role-based access: Only authorized team members can access production systems
CI/CD with secure code reviews
Penetration testing conducted and patch management policies in place
Hosting transitions from Heroku to AWS App Runner include secure VPCs and hardened images
Incident Response & Business Continuity
Formal Incident Response Plan (IRP) with defined escalation and notification protocols
Quarterly drills to verify preparedness
99.95% uptime SLA and robust failover infrastructure
Third-Party Trust Chain
ThunderTix integrates exclusively with PCI Level 1–compliant payment processors and hardware-validated readers—ensuring secure, tokenized payments across desktop, web, and mobile environments.
Provider
Function
PCI Level 1
Tokenization
Validated Devices
Stripe
Payment Processing
✅
✅
Stripe M2, WisePOS E, BBPOS Chipper 2X (iOS/Android)
Square
Payment Processing
✅
✅
Square Terminal, Square Reader (iOS/Android)
Braintree
Payment Gateway
✅
✅
-
Elavon
Payment Gateway
✅
✅
-
Authorize.net
Payment Gateway
✅
✅
-
ThunderTix mobile apps integrate with Stripe’s official iOS and Android SDKs to securely accept payments using the M2, WisePOS E, and BBPOS readers—all of which are PCI SSC–validated.
