• All access to the data centers are secured with https.
  • Card data is transmitted on a point-to-point encryption (P2PE) basis from the Point of Sale.
  • All data at rest is encrypted at the data center level and in native ACME apps.
  • ACME's APIs do not provide access to PII unless a venue owned private API key is given.

PCI Compliance

  • ACME PCI Level 1 proof 
  • CORS (cross-origin) B2C API to remove your servers from PCI scope for custom e-commerce checkouts.
  • AOC (Attestation of Compliance) report can be shared upon request.

PII Adherence

  • ACME follows the FIPS 140-2 federal guidelines for data at rest encryption.
  • PII data is not available through ACME APIs unless the client has access to private API keys to see the PII data of its own visitors.


Payment Fraud Shield

  • Automatic detection and block of card fraud bots to reduce fraud costs (chargebacks and authorizations).
  • See About ACME's Fraud Shield

AWS Compliance Information

  • Dec 2018 PCI DSS 3.2 Level 1 Service Provider
  • Overall AWS compliance info is located here and ACME can provide additional compliance on demand if the client does not have an AWS account.
  • ACME's AWS account is FedRamp Authorized under the US East-West regions given that the application is mid-level impact (higher level impact app with more security required would need to be hosted under US Gov data center).

508 Accessibility

ACME keeps its 508 VPAT certificates up to date on an annual basis in order to comply with Federal requirements to make the software accessible online and at the Point of Sale.


  • ACME follows the FIPS 140-2 federal guidelines for data at rest encryption.
  • ACME's Point of Sale credit card reader components are PCI compliant and encrypt at the hardware level for P2PE use cases.
  • PII data collected as part of Point of Sale checkout flows is subject to P2PE and is encrypted at rest by the iOS default file encryption feature, where an encryption key is generated on a per file basis.
  • Overview and Detail of iOS security features can be found here.

Application and API Security

ACME has implemented Cloudflare to protect applications and APIs against:

  • Denial-of-service attacks by using:
    • DNS service with anycast network and black hole routing enabled
    • WAF (or Web Access Firewall) service (to mitigate layer 7 DDoS attacks)
    • Rate Limiting service (to limit the number of api calls to ACME services and on-the-way limiting
    • DDoS attacks)
  • DNS cache poisoning and man-in-the-middle attack by using DNSSEC service
  • Customer data compromise and abusive bots by using:
    • WAF service OWASP top ten and managed rules
    • Rate Limiting (to stop brute-force login attempts)