We are pleased to announce that the Orca Cloud Security Platform is now PCI DSS certified. This important development demonstrates our full belief in the strength of our technology. Orca leveraged the Orca Cloud Security Platform to meet PCI DSS requirements, greatly reducing the time and effort to earn the certification. Customers of Orca can rest assured that we not only remain committed to sustaining the highest standards of security, but we depend on the same technology we recommend they adopt.

To earn the PCI DSS certification, Orca’s GRC team completed the PCI Self-Assessment Questionnaire (PCI SAQ D). This process involves a comprehensive evaluation of security practices within a customer environment to ensure compliance with the Payment Card Industry Data Security Standard (PCI DSS). The certification validates Orca’s compliance with PCI DSS standards as a service provider. 

The Orca GRC team and CISO empower customers to uphold their information security standards, fostering greater trust. Our information security team is dedicated to enhancing company compliance and security, integrating valuable information security frameworks, and ensuring customers can meet their own information security regulations effectively.

In addition to PCI DSS, Orca has achieved several compliance certifications demonstrating our commitment to customer security and privacy, including:

  • ISO/EC 27001 Information
  • ISO/EC 27017 Information
  • ISO/EC 27018 Information
  • SOC 2 TYPE II Certified
  • Star Level One: Self-Assessment Cloud Security Alliance
  • CSA Trusted Cloud Provider
  • StateRAMP Authorized
  • FedRAMP In Process 

In every case, Orca has leveraged the Orca Platform to demonstrate and maintain compliance.

In this post, we examine Orca’s PCI DSS certification and how we earned it by leveraging the Orca Cloud Security Platform. 

How did Orca obtain the PCI SAQ D certification? 

As a service provider, Orca is eligible to demonstrate compliance with PCI DSS by completing the SAQ D self-assessment. The SAQ D certification allows organizations with limited cardholder data processing to self-assess their adherence to PCI requirements. 

Orca is eligible for SAQ D because it doesn’t directly store, process, or transmit cardholder data, but instead provides limited capabilities that never leave customer environments. This applies to two different deployment modes that Orca offers (SaaS and In-Account). It’s also worth mentioning that the SAQ D certification doesn’t make Orca fully compliant with PCI DSS. However, Orca supports organizations that must fully adhere to the regulation.

The substantial effort aimed to enhance Orca’s trust and compliance, facilitating smoother customer onboarding with reduced friction for organizations with PCI regulatory needs. This self-assessment approach is robustly supported by reviews and approvals from many trusted partners, ensuring that Orca maintains high standards of security and compliance.

Orca approached the SAQ D certification with full confidence in the Orca Cloud Security Platform. The Orca Platform offers more than 150 out-of-the-box compliance frameworks, covering most major regulatory standards and industry regimes. This includes PCI DSS v4.0.

PCI DSS framework dashboard in the Orca Cloud Security Platform
The PCI DSS framework in the Orca Cloud Security Platform 

By simply choosing the PCI DSS compliance framework, Orca received an immediate assessment of its current compliance status, including all in-compliance and out-of-compliance controls. 

Display current view of all failed and passed compliance controls inside the Orca Cloud Security Platform
Orca displays a current view of all failed and passed compliance controls 

This assessment automatically and continually accounted for every asset and risk across Orca’s entire cloud estate and every type of risks affecting PCI DSS—including vulnerabilities, misconfigurations, lateral movement risk, malware, data risk, IAM risk, API risk, AI risk, and more. 

The Orca Platform makes it easy and efficient to address and manage compliance issues, monitor statuses, and report on compliance.

  • Compliance remediation: For each compliance issue, the Orca Platform automatically offers suggested remediation instructions, the ability to auto-remediate, and AI-powered remediation, which leverages GenAI to produce remediation steps tailored to your remediation process. Orca also offers two-way integrations with Jira and ServiceNow, allowing you to create tickets in Orca and delegate remediation tasks to the relevant team members. Using Orca’s Automations feature, you can build workflows that automatically create and assign Jira or ServiceNow tickets for specific compliance use cases, as well as auto-remediate issues.
  • Compliance monitoring: The Orca Platform automatically tracks your current compliance status and continually updates it to reflect any changes to your environments.
  • Compliance reporting: The Orca Platform enables you to export compliance reports on-demand and in multiple formats for different use cases. This includes PDF format for sharing with management and external stakeholders, as well as CSV and JSON formats for more granular information. You can also schedule reports for Orca to send on a one-time or recurring basis to an email address (or multiple), Slack channel, or storage bucket. 
IAM Misconfiguration Remediation Options inside Orca Platform
Orca offers multiple remediation options, including Auto Remediation, Orca suggested remediation steps, and AI-powered remediation
Exporting compliance report from Orca Cloud Securty platform
Orca offers the ability to export compliance reports in multiple formats

Reinforcing our confidence was the recent audit and report administered byGRSee Consulting, an independent third-party QSA. GRSee has validated that the Orca Cloud Security Platform enables all organizations (Level 1 – 4) to meet PCI DSS compliance requirements, whether via a Report on Compliance (RoC) or SAQ.

Download GRSee PCI DSS Report

Learn more about how Orca fully supports your PCI compliance needs 

Orca is pleased to announce our SAQ D certification, recognizing what it means to our customers, partners, and other stakeholders. Multi-cloud compliance remains a core focus of Orca as we hold ourselves to the highest security standards, knowing this creates the necessary conditions for your organization to thrive in the cloud—safely and securely. 

Orca enables your organization to achieve continuous PCI DSS compliance for your multi-cloud environments. We offer more than 150 compliance frameworks—including CIS Benchmarks—and automated features for compliance monitoring, reporting, and remediation. 

The Center of Internet Security (CIS) has certified the Orca Cloud Security Platform across 24 cloud frameworks. This certification validates that Orca accurately identifies any configurations that deviate from best practices in more than 60 CIS Benchmarks. 

Schedule a demo to see how the Orca Platform can enhance your compliance efforts.

Further reading