Xoxoday Plum does not collect, store, or process sensitive payment card data, so PCI-DSS compliance is not applicable — all reward transactions are securely processed through Xoxoday’s encrypted payout infrastructure.
Why PCI-DSS Does Not Apply to Xoxoday Plum
PCI-DSS (Payment Card Industry Data Security Standard) is a compliance framework designed for organisations that collect, transmit, or store cardholder data — such as credit card numbers, CVVs, or billing details. Xoxoday Plum operates as a rewards, gifting, and incentives platform rather than a payment processor, which places it outside the scope of PCI-DSS requirements entirely. Xoxoday Plum never handles raw payment card credentials on behalf of your organisation or your employees. No cardholder data passes through or is stored within Xoxoday Plum’s application layer, so the PCI-DSS mandate simply does not apply.How Reward Transactions Are Secured
All reward transactions on Xoxoday Plum are routed through Xoxoday’s dedicated reward payout infrastructure. This infrastructure applies industry-standard encryption both in transit and at rest, ensuring that every payout — whether a gift card, prepaid voucher, or experience reward — is processed with the rigour expected of enterprise-grade financial workflows. For organisations running incentive programs integrated with Workday, SAP SuccessFactors, or Darwinbox, reward data exchanged between those systems and Xoxoday Plum travels through encrypted API channels. Reward notifications delivered via Slack or Microsoft Teams carry no sensitive financial payload, keeping the communication layer equally secure.What Compliance Standards Xoxoday Plum Does Meet
While PCI-DSS is not applicable, Xoxoday Plum maintains compliance with internationally recognised security standards. Xoxoday holds ISO 27001 certification, covering information security management across the organisation’s people, processes, and systems. Xoxoday Plum also undergoes regular third-party audits aligned with SOC 2 Type II requirements, validating controls around security, availability, and confidentiality. These certifications give IT and procurement teams documented evidence for vendor risk assessments, making it straightforward to clear Xoxoday Plum through your organisation’s information security review process.What to Include in Your Security Questionnaire
If your information security or legal team asks whether Xoxoday Plum is PCI-DSS compliant as part of a vendor due-diligence exercise, the accurate response is that PCI-DSS is not in scope. Xoxoday Plum does not touch payment card data at any point in the reward fulfilment workflow. Reference Xoxoday Plum’s ISO 27001 certification and SOC 2 Type II attestation as the relevant compliance evidence to submit in your review documentation. Learn more: [Xoxoday Plum Help Centre — System Requirement](Is Xoxoday Plum ISO 27001 certified?
Understand Xoxoday Plum’s ISO 27001 certification scope and what it covers for your organisation’s vendor security requirements.
Is Xoxoday Plum SOC 2 Type II compliant?
Learn how Xoxoday Plum’s SOC 2 Type II attestation validates security, availability, and confidentiality controls for enterprise customers.