February 7, 2012

How Shift4 Goes Beyond Compliance

Saying that PCI compliance can be a challenge is kind of like saying climbing Mt. Everest is slightly difficult. With the confusing state of Payment Card Industry Data Security Standards (PCI DSS) today, merchants using legacy systems may understandably look at climbing Everest as a cake walk in comparison to maintaining compliance.
Shift4 not only understands and complies with PCI, we actually exceed their requirements and provide the lowest breach profile in the industry. The following are a few of the most frequently asked questions (FAQs) we receive about Shift4’s technology, PCI requirements, the Self Assessment Questionnaire (SAQ), etc. We hope you can use this FAQ to answer the major questions you or your associates may have about how Shift4 stands out from the crowd in offering real security that goes beyond compliance.

How is Shift4 involved with PCI?
Shift4 was the first paying member of the PCI Security Standards Council. We were also the first payment card gateway to be certified with PCI DSS.

Is Shift4 a Level 1-compliant service provider?
Yes, Shift4 is a Level 1 service provider. We are qualified to provide service for any and all merchants. We also maintain current Visa Third Party Agent (TPA) and MasterCard Third Party Processor (TPP), and all other required certifications.

How secure are Shift4 services?
Shift4 actually exceeds the minimum security requirements of the PCI DSS.
• Instead of the minimum required quarterly external vulnerability scan by an Authorized Scanning Vendor (ASV), we have monthly scans.
• We also exceed the minimum required quarterly internal vulnerability scans. Again, monthly versus quarterly from two different vulnerability scanning systems.
• We have a dedicated Information Security staff whose primary role is to monitor security systems and respond to any nefarious activity against our systems.
• We have a dedicated compliance officer who performs mid-term security audits that go far beyond those of PCI DSS.

How does Shift4 take my system out of PCI scope?
Shift4’s proprietary technologies – the Universal Transaction Gateway® (UTG®), TrueTokenization®, 4Go®, and i4Go® – can be combined to stand in front of your point-of-sale system (even legacy systems) and become the payment application of record.

I have a legacy payment application but I don’t want to upgrade. Can Shift4 help me?
When Shift4’s Universal Transaction Gateway® (UTG®) is properly configured, it can become the payment application of record, taking your legacy payment application out of scope for PCI DSS. Because it will never again process, store, or transmit cardholder data, your legacy system becomes a business application, which does not fall under the scope of PCI or PA-DSS. Shift4 provides the UTG to the merchant at no cost.

How do TrueTokenization, i4Go, and 4Go reduce my PCI burden?
With TrueTokenization, you are no longer storing real CHD. This dramatically reduces your security breach profile. With 4Go or i4Go in place, your payment application will function as it always has except it will be processing, transmitting, and storing TrueTokens and not CHD.

How can Shift4 help me on the Security Assessment Questionnaire (SAQ)?
With proper implementation of Shift4 technology and meeting certain other criteria, you may qualify to complete the shorter SAQ-C (80 questions) versus the SAQ-D (283 questions). Your merchant bank and/or QSA will assist you in determining which SAQ is required.