trust is the foundation of all successful business relationships - especially when handling sensitive payment data. At bnetwork, ensuring the highest level of PCI DSS compliance goes beyond annual audits or standard checklists. Our ten-year partnership with Almond demonstrates a sustained commitment to enterprise-grade security, rigorous transparency, and continuous improvement.

understanding PCI DSS compliance - and why it matters

PCI DSS (Payment Card Industry Data Security Standard) is a strict set of security requirements - covering everything from network security to access control - designed to protect cardholder data. Many companies claim compliance simply by integrating third-party payment gateways and fulfilling minimal requirements through self-assessment. However, genuine PCI DSS compliance requires robust internal controls, ongoing security practices, and continuous vigilance - qualities often missing in organizations that view compliance as a mere checkbox exercise.

true compliance provides customers confidence that sensitive payment card data is handled securely. At bnetwork, achieving this standard involves careful planning, continuous monitoring, and strategic investment in security.

a strategic partnership: ten years with Almond

for ten years, bnetwork has collaborated closely with Almond, a respected compliance auditing partner. This long-term partnership allows bnetwork to consistently improve security practices, going well beyond baseline requirements. Each annual PCI DSS evaluation conducted alongside Almond offers an opportunity to strengthen internal processes, enhance security process, and proactively adopt the evolving requirements of the standard.

insights from our experts

interview with our Chief Product Officer, Bruce Gonzalvez (BG) and Almond’s Senior Security Consultant, Frederic Metz (FM):

what was the initial strategic driver behind your commitment to PCI DSS compliance, beyond it being a simple requirement?

BG: “For bnetwork, the security of our customers’ data is a priority and one of the foundations of our company. We see it as a matter of respect for every person who comes to make a reservation on our websites, ensuring we do not compromise their personal information, and especially their payment details. With this in mind, we approached the PCI DSS standard with full commitment. This internationally recognized security framework requires a high level of expertise, which we also found in our trusted partners, Almond and Claranet, who manage our IT infrastructure. Over time, PCI DSS has become essential, with many stakeholders, from the banks we work with to event organizers, requiring it as a condition for collaboration.

The standard continues to evolve, and each year we evolve alongside it. We regularly perform multiple checks and audits of our information systems to ensure they meet the highest security standards.”

how does your architectural strategy - specifically avoiding direct card data management - shape your overall approach to compliance?

BG: “At bnetwork, we have made a deliberate decision not to store or process payment card data within our own information systems. When a user proceeds to payment, they are securely redirected to a trusted partner such as Worldline or Stripe to complete the transaction. We neither store nor transmit cardholder data ourselves.

However, this does not mean that nothing must be done on our platforms. PCI DSS requirements remain very strict in this context. The point on our booking websites where we redirect users to payment is a critical security “bastion.” A malicious actor could attempt to insert harmful code or redirect traffic elsewhere, which would be catastrophic. This is why we apply and rigorously follow the PCI DSS SAQ A standard. Simply redirecting to a trusted payment provider is not enough to ensure compliance. Our approach is therefore twofold: to protect this critical handover point with the highest security standards under PCI DSS, and to rely on internationally recognized, robust payment platforms. All of this is done with the guidance and oversight of our partner, Almond.”

what is the strategic value of partnering with an external QSA (Qualified Security Assessor) like Almond, rather than handling compliance assessments internally?

BG: “Almond is one of the leading players in this sector, having provided highly qualified PCI DSS experts for many years, known as QSAs (Qualified Security Assessors). Working with Almond ensures that our compliance with PCI DSS requirements is both rigorous and genuine. Since PCI DSS is constantly evolving, our QSA from Almond, Frédéric, ensures we stay up to date by turning new requirements into concrete actions. We work closely with Claranet, who manages our AWS cloud environment, with both AWS and Claranet being PCI DSS certified. Our in-house IT team, responsible for developing our platforms and regularly trained in security, completes this setup. Together, these three teams form a coordinated effort to meet the standard and apply the highest security practices. 

The PCI DSS compliance form now includes a specific section for Qualified Security Assessors like Almond, validating that all required controls have been effectively implemented. Our partnership with Almond goes beyond assessments, as they also perform the mandatory “external vulnerability scans (ASV scans)” required by the standard. Working with Almond is also a differentiating factor. Some companies limit themselves to answering the PCI DSS questionnaire without the guidance of a specialist, often at the expense of cardholder data security. By contrast, our collaboration ensures we meet the standard with the highest level of rigor and expertise." 

having worked with bnetwork for ten years, how would you describe the evolution of their PCI strategy and overall security posture?

FM: “Complying with the PCI DSS standard can be very complex and, sometimes, not enough to ensure a strong level of security.  Since the first collaboration 10 years ago, we have seen bnetwork’s PCI DSS strategy evolve by simplifying its environment. This was achieved by removing all card data from bnetwork’s infrastructure, and by delegating some sensitive activities to PCI DSS compliant partners like AWS or Claranet. This “descoping” strategy was key to enhancing security and making PCI DSS compliance easier.” 

how has your advisory role with bnetwork evolved beyond a standard support? Can you describe how the partnership itself has adapted over time? 

FM: “As a QSA company, Almond’s initial role was to assist bnetwork in completing PCI DSS documentation, such as the SAQ or AoC. Following this, Almond provided recommendations to simplify bnetwork’s PCI DSS environment by delegating cardholder management to PCI DSS service providers. Over the years, QSA activities have evolved to confirm bnetwork's scope and perform all testing procedures required by the standard, ensuring a high level of confidence." 

could you share an instance where you provided security advice that went beyond mere compliance, focusing on proactive defence? 

FM: “SAQ-A is a very limited subset of PCI DSS requirements. Even if bnetwork could simply apply the SAQ-A requirements, this would not be enough to ensure full security. Over the years, Almond has provided recommendations to improve security, such as multi-factor authentication, developer training and system monitoring. These are examples of security measures which are not required by SAQ-A, but implemented by bnetwork.” 

what is a common compliance oversight you see in the industry, and how does bnetwork’s approach consistently avoid that particular challenge? 

FM: “Delegating certain services to third parties is a good way for companies to remain focused on their core business but can complicate PCI DSS compliance if those providers affect security. As service providers, third parties must meet all applicable PCI DSS requirements, not just a subset like SAQ-A for merchant. This could translate into hundreds of requirements, which can be overwhelming to audit. 

bnetwork addresses this by only hiring third parties that are already PCI DSS compliant for hosting, IT services and card payment management. This way, these partners provide their a QSA-signed PCI DSS attestation (AoC), providing a high level of trust and simplifying bnetwork’s own PCI DSS assessment.”  

from your QSA perspective, what is a concrete example of a measure bnetwork takes that directly enhances the security and trust for their end-customers? 

FM: "First of all, hiring a QSA to perform annual assessments - even when a simple self-assessment would suffice - demonstrates bnetwork's strong commitment to PCI DSS compliance.Furthermore, recognizing that PCI DSS represents only a baseline for security, bnetwork decided to implement additional security measures to fortify its infrastructure.

This approach underscores bnetwork's dedication to safeguarding customer data."  

many see compliance as a ceiling. How does bnetwork treat it as a foundation, and what does "going beyond" look like in practice?

BG: “At bnetwork, PCI DSS is not the finish line, but the starting block. We use compliance as the foundation for a wider security culture that goes beyond the standard, from a “no card data” architecture to hardening every touchpoint on our booking platforms. Year-round testing, training, and collaboration with certified partners ensure we maintain the highest level of protection for our customers’ data.”

how does this deep investment in compliance and security translate into a competitive advantage and build tangible trust with your clients?

BG: “For bnetwork, strong compliance and security are not just operational requirements, they are part of our value proposition. By protecting every reservation with PCI DSS-certified environments, secure architecture, and trusted payment partners, we give clients the assurance that their customers’ data is handled with the highest level of care. This transparency and rigor build tangible trust: event organizers, banks, and partners know they can rely on us not only to meet the standard, but to exceed it in practice. That trust often becomes a decisive factor when clients choose a partner, turning our investment in security into a clear competitive advantage.

additional measures implemented by bnetwork

beyond standard compliance requirements, bnetwork has implemented comprehensive security measures that include:

• real-time security monitoring and vulnerability scans: Continuous security monitoring instead of periodic checks, enabling quick identification and mitigation of potential threats.
• extensive employee security training: Frequent, role-specific training sessions to ensure the entire organization maintains security awareness year-round.
• proactive third-party risk management: Diligent vetting and regular assessments of all vendors, guaranteeing the entire ecosystem meets rigorous security standards.

transparency that builds trust

at bnetwork, transparency about compliance and security standards strengthens long-term trust with clients. By clearly communicating our security measures and maintaining open dialogue about our practices, we ensure clients understand exactly how their sensitive data is protected at every stage.

to learn more about bnetwork’s security and compliance practices, please contact our team directly for documentation or to discuss your specific security requirements.