Privacy & security
BlinkCard is distributed as a mobile and web Software Development Kit (SDK) or as a containerized API that is hosted on your infrastructure.
The SDK processes completely on-device, only leveraging outbound connections to validate the license and report the usage of the SDK. All processing of card images, extraction of data, and liveness analysis occurs exclusively client-side.
The self-hosted API option is deployed in your infrastructure, offering server-side extraction of card images and liveness analysis from single frames. The payment card data never leaves your environment, minimizing the transference of sensitive card data.
Data processing
With BlinkCard, card data is never processed by Microblink. Microblink functions as a provider of processing tools and does not engage in the processing of personal data found within scanned document images. Microblink assumes the role of a personal data processor only when the customer shares personal data with Microblink as part of Microblink provision of support services (for example, for triage purposes or bug resolution).
In such situations or if there is an explicit arrangement for personal data sharing between Microblink and the customer, an appropriate data processing agreement (DPA) or a similar agreement are needed to govern each party's responsibilities and ensure the lawful and secure processing of personal data. Otherwise, the DPA between the parties is not required.
PCI DSS compliance
PCI Security Standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. PCI Data Security Standard (DSS) applies to all entities that store, process, and/or transmit cardholder data, so if you accept or process payment cards, the PCI DSS applies to you.
As Microblink only provides an SDK or a Self-Hosted API, we don’t qualify as a vendor that develops payment solutions that store, process or transmit cardholder data and/or sensitive authentication data as part of authorization or settlement.
By providing the SDK or a Self-Hosted API, Microblink also doesn’t act as a service provider because we are not directly involved in the processing, storing, or transmitting of cardholder data on behalf of another business.
Customers who integrate BlinkCard for transaction processing and storage of transaction and/or cardholder information might be required to undergo PCI DSS certification.
Secure development practices
Although Microblink does not have PCI DSS Attestation of Compliance we have implemented best practices in secure software development required by PCI DSS. Our software developers have regular training on software security and coding techniques, our code repository is adequately protected, and changes in code are reviewed and tested. Furthermore, penetration tests are regularly conducted based on risk assessment and for every major change. All these activities are also periodically audited for our ISO 27001:2022 certification related to the standard’s requirements.
The use of Microblink product (SDK; Self-Hosted API) in production is governed by General Terms and conditions for using Microblink technology. Appendix 1 does not apply to customers who purchase a license to use BlinkCard.
For customers who are testing and evaluating the technology, the governing terms are outlined in the Terms of Use.