PCI DSS v4.0 Shared Responsibility Matrix
Auctria.com Inc. | Issued for customer use under PCI DSS Requirement 12.9
Version 1.1 | May 29, 2026
This matrix describes the division of PCI DSS v4.0 responsibilities between Auctria and its customers. It is provided in accordance with PCI DSS Requirement 12.9.2 to support customers' own compliance programs.
- ✓ Auctria — Auctria owns and is solely responsible for this requirement within the platform.
- ✓ Customer — The customer owns and is solely responsible for this requirement within their environment.
- ✓ Shared — Both parties have responsibilities. See the Notes column for the specific split.
Customers may present this document to their own QSA or assessor as evidence of Auctria's responsibilities. Auctria's current Attestation of Compliance (AOC) is available on request.
| Req | Requirement / Control Area | Auctria | Customer | Shared | Notes |
|---|
| 1.1 | Security policies and operational procedures for network security controls | | | ✓ | Each party maintains policies covering their own environment |
| 1.2 | Network security control (NSC) configuration, change management, and review for the Auctria platform | ✓ | | | Auctria manages all platform-side firewall/NSC rules; customers must manage NSCs on their own networks |
| 1.3 | Network access controls restricting inbound/outbound traffic to what is necessary | ✓ | | | Auctria enforces CDE network segmentation |
| 1.4 | Controls between trusted and untrusted networks, including CDE boundary protection | ✓ | | | Auctria's cloud infrastructure (AWS) provides this boundary |
| 1.5 | Risks from connecting to untrusted networks managed on customer-controlled devices | | ✓ | | Customers are responsible for security controls on their own devices connecting to Auctria |
| Req | Requirement / Control Area | Auctria | Customer | Shared | Notes |
|---|
| 2.1 | Security policies and procedures for system configuration | | | ✓ | Each party maintains policies for their own systems |
| 2.2 | System components configured per hardening standards; unnecessary services removed | ✓ | | | Auctria manages configuration of all platform components |
| 2.3 | Wireless environments configured securely | | ✓ | | Customers are responsible for any wireless access on their premises |
| Req | Requirement / Control Area | Auctria | Customer | Shared | Notes |
|---|
| 3.1–3.7 | Protection of cardholder data — tokenization and storage by payment partners | | | ✓ | For online/hosted payment flows and card-present transactions using encrypted hardware readers (Stripe Terminal WisePad, M2), card numbers are encrypted or tokenized at point of entry and never transmitted through Auctria's application layer. For card-present transactions using USB keyboard-wedge (HID) readers, the PAN transits the Auctria application layer prior to tokenization — Auctria ensures it is never logged or persisted. Customers must not store card data outside the designated payment flow. |
| Req | Requirement / Control Area | Auctria | Customer | Shared | Notes |
|---|
| 4.1 | Security policies and procedures for data-in-transit protection | | | ✓ | Each party maintains policies covering their own transmission paths |
| 4.2 | Strong cryptography (TLS 1.2+) used for all transmissions over open/public networks | ✓ | | | Auctria enforces TLS on all platform endpoints. For online payment flows and encrypted hardware readers (WisePad, M2), card numbers never traverse Auctria's application layer. For USB keyboard-wedge (HID) readers, the PAN transits the application layer in transit to tokenization — Auctria ensures it is protected and never exposed beyond that handoff. Customers must use HTTPS for all integrations. |
| Req | Requirement / Control Area | Auctria | Customer | Shared | Notes |
|---|
| 5.1–5.2 | Anti-malware policies and solution deployment on Auctria platform components | ✓ | | | Auctria manages threat detection on platform infrastructure |
| 5.3–5.4 | Anti-malware solution management on customer-controlled systems and end-user devices | | ✓ | | Customers are responsible for anti-malware on their own workstations and systems |
| Req | Requirement / Control Area | Auctria | Customer | Shared | Notes |
|---|
| 6.1–6.3 | Secure development practices, vulnerability management, and patch management for Auctria platform code | ✓ | | | Auctria is responsible for secure development, patching, and vulnerability management of the platform |
| 6.4 | Integrity and security of payment page integrations on Auctria-hosted pages | | | ✓ | Auctria is responsible for the integrity of payment integrations on its platform. Customers must not modify, replace, or inject scripts into any Auctria-hosted payment flow. |
| 6.5 | Change control, environment separation, and test data management for Auctria releases | ✓ | | | Auctria manages its own software release and change management process |
| Req | Requirement / Control Area | Auctria | Customer | Shared | Notes |
|---|
| 7.1–7.2 | Access control model and least-privilege access assignment for Auctria platform | ✓ | | | Auctria enforces role-based access control on the platform |
| 7.3 | Access control system configured with deny-all default for the Auctria platform | ✓ | | | |
| 7.2 (customer admin) | Access assigned to customer administrator accounts within Auctria | | ✓ | | Customers are responsible for managing which of their staff have admin access in Auctria and applying least privilege |
| Req | Requirement / Control Area | Auctria | Customer | Shared | Notes |
|---|
| 8.2–8.3 | User identity management, MFA enforcement, and authentication policies on the Auctria platform | ✓ | | | Auctria enforces MFA, password complexity, lockout, and session timeout for all platform users |
| 8.6 | Management of application and system accounts within the Auctria platform | ✓ | | | |
| 8.2 (customer users) | Customer responsibility to manage their own user accounts: provisioning, deprovisioning, and access reviews | | ✓ | | Customers must promptly remove access for departed staff and review active accounts periodically |
| Req | Requirement / Control Area | Auctria | Customer | Shared | Notes |
|---|
| 9.1–9.4 | Physical security of Auctria platform infrastructure and cloud environment | ✓ | | | Auctria's infrastructure runs on AWS; physical data centre security is managed by AWS. Customers have no physical access to Auctria systems. |
| 9.5 | Protection of point-of-interaction (POI) devices — card readers and tap-to-pay | | | ✓ | Applies to Auctria-provisioned encrypted readers (WisePad, M2). Auctria manages device software and firmware; customers are responsible for physical custody, tamper inspection, and staff training at event venues. See POI Device Responsibilities document for details. Note: USB keyboard-wedge (HID) readers are generic devices not provisioned by Auctria and are not covered by the POI document. |
| Req | Requirement / Control Area | Auctria | Customer | Shared | Notes |
|---|
| 10.2–10.6 | Audit logging, log integrity, and log review for Auctria platform components | ✓ | | | Auctria maintains comprehensive audit logs for all platform activity |
| 10.7 | Detection and response to failures of critical security controls on the Auctria platform | ✓ | | | |
| 10.2 (customer env) | Audit logging for customer-controlled systems that connect to or integrate with Auctria | | ✓ | | Customers are responsible for logging within their own infrastructure and integration layers |
| Req | Requirement / Control Area | Auctria | Customer | Shared | Notes |
|---|
| 11.1 | Security policies and procedures for testing | | | ✓ | Each party maintains testing policies for their own environment |
| 11.3.1 | Internal vulnerability scanning of Auctria platform (quarterly, authenticated, post-change) | ✓ | | | Auctria performs credentialed internal scans; customers must perform their own internal scans if they have in-scope systems |
| 11.3.2 | External vulnerability scanning by ASV (quarterly) | ✓ | | | Auctria contracts and manages ASV scans of its external-facing infrastructure |
| 11.4 | Penetration testing of Auctria platform (annual internal and external) | ✓ | | | Auctria commissions annual pen tests; results and remediation are internal to Auctria |
| 11.5 | IDS/IPS and file integrity monitoring on the Auctria platform | ✓ | | | |
| 11.6 | Tamper detection for payment page scripts loaded in consumer browsers | ✓ | | | Auctria monitors its payment pages for unauthorized changes. Customers must not alter payment page code. |
| Req | Requirement / Control Area | Auctria | Customer | Shared | Notes |
|---|
| 12.1–12.2 | Overall information security policy and acceptable use policy | | | ✓ | Each party maintains its own information security policies |
| 12.3 | Targeted risk analysis and technology reviews | | | ✓ | Each party conducts its own risk analysis for its environment |
| 12.4 | PCI DSS compliance program and executive accountability for the Auctria platform | ✓ | | | Auctria maintains a formal PCI DSS compliance program; customers rely on Auctria's AOC for platform coverage |
| 12.5 | PCI DSS scope management and asset inventory for Auctria platform | ✓ | | | Customers must confirm whether their own systems are in scope and inform Auctria of significant changes |
| 12.6 | Security awareness training for Auctria personnel | ✓ | | | Customers are responsible for security awareness training for their own staff |
| 12.6 (customer) | Security awareness training for customer personnel who use or administer Auctria | | ✓ | | |
| 12.8 | Third-party service provider (TPSP) management — Auctria's vendor relationships | ✓ | | | Auctria manages due diligence and compliance monitoring of its own subprocessors |
| 12.9 | Auctria acknowledgment of responsibility for requirements it manages on behalf of customers | ✓ | | | Auctria provides a signed AOC and this responsibility matrix to customers on request |
| 12.10 | Incident response plan and testing for Auctria platform | ✓ | | | Auctria maintains its own IR plan; customers must maintain their own IR plan for their environment. Auctria will notify customers of any security incidents affecting their data per contractual obligations. |
Last reviewed: May 2026