· security · compliance · agentic-commerce
The Compliance Floor: Why PCI DSS, PCI PIN and ISO 27001 Are the Minimum for Agentic Commerce
When software spends money while you sleep, promises aren’t enough. Independent certification is how every party in an agentic transaction knows it’s safe — and Orchard28 holds that bar today.
David Broderick Founder & Head of AgentsWe’ve written before about the engineering that keeps an Orchard28 agent inside its guardrails — capped single-use cards, condition gates, kill switches. All of it is true, and none of it is enough on its own. Because “trust us, we built it well” is exactly the sentence every breached company said the week before.
Trust at scale doesn’t come from promises. It comes from independent parties auditing your systems against public standards, every year, with the right to fail you. In payments, three of those standards matter most: PCI DSS, PCI PIN and ISO 27001. Here’s what each one actually assures, who it assures, and why together they are the minimum entry ticket for agentic commerce.
PCI DSS: the card data never leaks
The Payment Card Industry Data Security Standard governs anyone who stores, processes or transmits cardholder data. It is brutally specific: segmented networks, strong cryptography for data at rest and in flight, strict access control on a need-to-know basis, continuous vulnerability scanning, penetration testing, logging of every touch of the data.
What it assures, and to whom:
- Cardholders know their card number isn’t sitting in a spreadsheet somewhere.
- Issuing banks and the card networks — Visa, Mastercard, American Express — know the platform meets the bar they themselves set before they let anyone near their rails.
- Merchants know that accepting a payment from the platform doesn’t import someone else’s data-handling risk into their own compliance scope.
PCI PIN: the secrets that authorise money stay secret
PCI PIN is the less famous, more paranoid sibling. It governs how PIN-based cardholder verification is protected: hardware security modules for every cryptographic operation, encryption keys handled under dual control and split knowledge — no single human being can ever reconstruct a key — and formally audited key ceremonies for creation, storage and destruction.
If PCI DSS protects the card number, PCI PIN protects the authorisation secret — the thing that turns a card number into money movement. For a platform whose whole product is authorised money movement, this is not optional hygiene. It’s the vault door.
It’s also why we’re proud to build our authorisation flow on CPoI (paywithCPoI.com): every Orchard28 transaction is committed by the cardholder’s own PIN, which makes it a fully authorised, card-present transaction — and shifts fraud liability to the issuer, where card-present rules put it. PCI PIN compliance is what makes handling that PIN responsibly possible at all.
ISO 27001: the whole organisation, not just the card vault
The first two standards are about payment data. ISO 27001 is about everything else: a certified Information Security Management System covering people, processes, vendors, physical premises and incident response. It forces the unglamorous disciplines — risk registers, access reviews, supplier due diligence, tested recovery plans — and it is re-audited continually, so it measures how you operate, not how you performed once.
For our customers’ lawyers and our merchants’ procurement teams, this is the certificate that answers the broader question: not “is the card data safe?” but “is this a company that takes security seriously everywhere?”
Why this is the floor for agentic commerce
Now add agents to the picture, and every one of these assurances stops being a nice-to-have:
- The human is absent at the moment of payment. In autonomous mode, nobody is watching the checkout. The integrity of the transaction rests entirely on the platform’s systems — so those systems must be independently attested, not self-declared.
- Machine speed compounds mistakes. An agent platform executes in milliseconds and at scale. A control failure that would cost one customer one bad charge in classic e-commerce could replay ten thousand times before breakfast. The standards’ obsession with monitoring, logging and key control exists precisely for this failure mode.
- Trust must travel between machines. As agentic commerce matures, merchants and networks will decide programmatically which platforms’ agents may transact. Certifications are the machine-verifiable handshake — the credential a counterparty can check without meeting you.
Put simply: in a world where software carries the wallet, certification is the driving licence. The platforms that hold it will be allowed on the road. The ones that don’t, won’t — and shouldn’t be.
Orchard28 delivers this today
Not on the roadmap. Not “working towards.” Today:
- PCI DSS — our approval and transaction layers, where payment credentials live and single-use virtual cards are issued, operate inside a fully compliant cardholder data environment. Agents run outside that boundary by design; they never enter PCI scope because they never touch card data.
- PCI PIN — every cryptographic operation behind an authorisation happens in certified hardware, with keys under dual control and split knowledge. No engineer at Orchard28 — no anyone at Orchard28 — can reconstruct the secrets that move money.
- ISO 27001 — our information security management system is certified and continually audited across all three offices, covering everything from vendor onboarding to incident response to how we wipe a leaver’s laptop.
This is the same architecture we describe across this site — the platform holds the wallet, the agent never does — with the difference that you don’t have to take our word for any of it. Auditors have already checked.
The floor, not the ceiling
We expect the bar for agentic commerce to keep rising — agent-specific attestations, mandate registries, real-time authorisation transparency. Good. We’ll be first in line, because the pattern is the one this industry has always followed: the standards come, the serious players certify, and the customers stop having to think about it.
That last part is the actual product. You should be able to hand an errand to an agent with the same unthinking confidence you hand a destination to a ride-hailing app. PCI DSS, PCI PIN and ISO 27001 are how that confidence gets built — audited, renewed, and already in place at Orchard28.