Security CornerLearn About Security and Best Practices

The Industry LeaderIn Payment Security

“Our mission is to apply pervasive and robust information assurance processes and technologies for partners, customers, and corporate entities to assure the availability, integrity, and confidentiality of information assets to protect information technology resources and facilities.”

-Shift4 Payments Security and Compliance Department Mission Statement

Layered Payment Security

EMV

Our solution is certified for U.S. and Canadian processing, with dozens of device options and unique features like quick chip and offline EMV processing.

Point-to-Point Encryption

Our PCI-validated P2PE solution encrypts cardholder data at the terminal, so that sensitive cardholder data never enters the merchant environment.

Tokenization

We invented the industry’s first payment data tokenization solution, which replaces stored card data with a random, alphanumeric value that is useless in the hands of data thieves.

These three solutions work together to provide unparalleled protection against costly data breaches. Your customers’ personal information will always be protected — during the transaction and long after — by the most reliable payment security technologies available.

Learn More

Here you will learn about accepted security principles, simplified PCI compliance, and industry best practices. Click to jump to a specific section.

PCI DSS Requirement 12.8 —
— Service Provider Management

If you retain service providers to process, store, or transmit cardholder data, you must have policies and procedures in place to manage those service providers. While there are no general guidelines to manage service providers, there are four specific PCI DSS requirements.

1. Maintain a list of service providers. (Requirement 12.8.1)

Shift4 Payments is a PCI DSS-validated Visa Third-Party Agent (TPA) and Mastercard Third-Party Processor (TPP). Shift4 Payments is not a shared hosting provider (see PCI DSS Requirement 2.4).

2. Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of your cardholder data. (Requirement 12.8.2)

When you sign on with Shift4 Payments, the Merchant Services Agreement will specify exactly what you can expect regarding the security of your cardholder data.

3. Ensure there is an established process for engaging service providers, including proper due diligence prior to engagement. (Requirement 12.8.3)

4. Maintain a program to monitor service providers’ PCI DSS compliance status annually. (Requirement 12.8.4)

Please refer to the following PCI DSS compliance documentation:

Shift4 ASV Scan Attestation Shift4 Payments PCI DSS Attestation of Compliance

Find PCI DSS-validated service providers:

Visa’s Global List Mastercard’s Global List Mastercard’s Site Data Protection Program

Shift4’s PCI-Validated True P2PE®
(Point-to-Point Encryption) Solution

Shift4 P2PE Attestation of Validation Shift4 P2PE Self-Attestation of Validation PCI P2PE Instruction Manual (PIM) — True P2PE

Privacy Shield Common and
Supplementary Principles

See the document below for the most recent Privacy Shield Policy.

Shift4 Privacy Shield Policy

Shift4 Security Policies and
Important Information

See the documents below for the most recent updates on our security policies and procedures.

PCI DSS Roles and Responsibilities Universal Transaction Gateway Change Management Internet-Borne Malicious Activity on Shift4 Systems What to Do if You Think You May Have Been Breached Simple Clues to Early Detection of a Computer Breach

European Union —
General Data Protection Regulation (GDPR)

The following document constitutes Shift4’s official policy on its role as a Personal Data Processor under the European Union — General Data Protection Regulation (GDPR). Unless otherwise agreed upon by Shift4 and Client/Merchants, Shift4 will systematically process all Personal Data without prejudice and as detailed therein. Merchants having relationships with EU Data Subjects should: 1) register their legal entity with the Information Commissioner’s Office, https://ico.org.uk/, 2) submit their Data Controller Policy to the office of the Shift4 Data Protection Officer, GDPR@shift4.com, and 3) begin the process of consummating the accompanying Data Processor Addendum.

Shift4 Payments General Data Protection Regulation (GDPR) Policy Statement Shift4 Payments General Data Protection Regulation (GDPR) Addendum

PA-DSS Attestations of Validation

Below are the annual PA-DSS Attestations of Validation (AOV) for Shift4’s PCI-validated payment solutions.

AOV for Shift4’s Universal Transaction Gateway (PCI version 3.2) AOV for Shift4’s 4Go (PCI version 3.2) AOV for Shift4’s Secure Suite 4 MICROS 3700 (PCI version 3.2) AOV for Shift4’s Secure Suite 4 MICROS 9700 (PCI version 3.2)

Credit Card Association Security Programs

The following links can give you current information on the card associations’ security protocols.

American Express Discover JCB Mastercard Visa

Security Education

The links below contain a wealth of information on IT and payment security from external sources that our team of experts consider reliable.

2019 PCI DSS Infographic from Security Metrics 2019 Data Breach Investigations Report 2019 Trustwave Global Security Report 2019 Internet Security Threat Report 2019 National Cyber Security Centre Annual Review Skimming Prevention: Best Practices for Merchants McAfee Labs 2019 Threats Predictions