PCI DSS Policy

Afterpay is a PCI DSS Level 1 certified compliant Service Provider organisation. PCI DSS is a comprehensive set of requirements created by the Payment Card Industry Security Standards Council to enhance cardholder data security and to ensure the safe handling and storage of sensitive customer credit card information and data. Maintaining security of cardholder data is very important to Afterpay. Afterpay’s PCI DSS responsibilities as a Service Provider are outlined in the Attestation of Compliance (AOC) as independently audited by Afterpay’s Qualified Security Assessor (QSA). Afterpay’s Attestation of Compliance (AOC) is submitted to Afterpay’s acquiring bank(s).

For further information please visit the official PCI org website www.pcisecuritystandards.org.


Upon Consumer agreement to Afterpay Terms, Afterpay secures and protects the cardholder data according to the current applicable PCI standard for the life of the data needing to be retained. Afterpay acknowledge these responsibilities as being the organisation responsible for ensuring the safe handling and storage of sensitive customer credit card information and data for the Afterpay services.


Afterpay merchants must implement Afterpay technologies according to Afterpay’s approved configuration. Afterpay merchants have effectively delegated their PCI DSS responsibilities for sensitive customer credit card information and data collected through the Afterpay Merchant Agreement process and Customer Agreement. Merchant’s may have other PCI DSS responsibilities that are independent of the Afterpay Merchant Agreement process. It is the Merchant’s sole responsibility to remain informed of their PCI obligations and compliance status. Merchant’s should always consult their own Information Security professionals to review the security of the merchants business where required. A Qualified Security Assessor should be consulted if the merchant manages other sensitive customer credit card information and data or the merchant’s implementation of Afterpay technologies has deviated from the approved configuration.

Afterpay Attestation of Compliance (AOC) is available on request.

Afterpay’s Privacy Policy is available here.