07/13/2011

Doing Their Job: Is Shift4 PCI Compliant?

* This document has been updated for clarification of merchants’ responsibilities in light of PCI DSS requirement 12.8.

We have received a number of requests recently from clients seeking to confirm Shift4’s PCI compliance status. For those who are curious, here is the short answer: Yes, Shift4 is a PCI DSS validated Level 1 Service Provider and as such complies with (and exceeds) the PCI DSS requirements of annual onsite PCI security assessments and quarterly vulnerability scans.

The issue here is not that you’re verifying that we’re compliant – verifying that is a good thing. You should be vigilant in ensuring all of your vendors and service providers are secure and compliant with the Payment Card Industry Data Security Standard (PCI DSS). Our problem with this comes when you are asked to seek this information on behalf of your acquiring bank/processor, because that’s not your job, and – as merchant advocates – it annoys us when banks and processors make you do their busy work.

According to PCI DSS regulation 12.8, it is your responsibility to manage your service providers in accordance with a policy of your own design. That policy should include some method of vetting (in accordance with 12.8.3), which can be as easy as requesting a copy of our Certificate of Compliance (found here).

When you complete your Self Assessment Questionnaire and check “In Place” for Requirements 12.8.1 – 12.8.4, you are essentially attesting to your acquiring bank that you have policies in place to manage service providers and that you are indeed doing so.

As your acquiring bank faces potential liability should you be breached, many will ask you to prove that you are properly managing service providers in compliance with requirement 12.8 to protect themselves. This is acceptable, but if they ask for anything more from you than a verification that you are complying with 12.8, you can politely tell them to take a hike.

The bottom line is this: if your processor sends you a form and asks you to verify Shift4’s PCI compliance, tell them no. It’s not your job to placate them. You’ve verified that you’re in compliance with 12.8 and that’s all they need to know. If they want more information, they can find it themselves. They get paid the big bucks in terms of “interchange +” pricing; doing a little research won’t hurt them.

All the information they need about us is listed on the Visa and MasterCard global service providers lists. If they want more information about Shift4 and our security and compliance practices than is listed there, they can find it in our Service Provider Management Frequently Asked Questions document.