Shift4 combines our industry-leading security technologies in a layered approach to provide unparalleled protection against costly data breaches. Your customers’ personal information will always be protected — during the transaction and long after — by the most reliable payment security technologies available.
If you retain service providers to process, store, or transmit cardholder data, you must have policies and procedures in place to manage those service providers. While there are no general guidelines to manage service providers, there are four specific PCI DSS requirements.
1. Maintain a list of service providers. (Requirement 12.8.1)
Shift4 Payments is a PCI DSS-validated Visa Third-Party Agent (TPA) and Mastercard Third-Party Processor (TPP). Shift4 Payments is not a shared hosting provider (see PCI DSS Requirement 2.4).
2. Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of your cardholder data. (Requirement 12.8.2)
When you sign on with Shift4 Payments, the Merchant Services Agreement will specify exactly what you can expect regarding the security of your cardholder data.
3. Ensure there is an established process for engaging service providers, including proper due diligence prior to engagement. (Requirement 12.8.3)
4. Maintain a program to monitor service providers’ PCI DSS compliance status annually. (Requirement 12.8.4)
Please refer to the following PCI DSS compliance documentation:
Find PCI DSS-validated service providers:
See the document below for the most recent Privacy Shield Policy.
See the documents below for the most recent updates on our security policies and procedures.
The following document constitutes Shift4’s official policy on its role as a Personal Data Processor under the European Union — General Data Protection Regulation (GDPR). Unless otherwise agreed upon by Shift4 and Client/Merchants, Shift4 will systematically process all Personal Data without prejudice and as detailed therein. Merchants having relationships with EU Data Subjects should: 1) register their legal entity with the Information Commissioner’s Office, https://ico.org.uk/, 2) submit their Data Controller Policy to the office of the Shift4 Data Protection Officer, GDPR@shift4.com, and 3) begin the process of consummating the accompanying Data Processor Addendum.
The following links can give you current information on the card associations’ security protocols.
The links below contain a wealth of information on IT and payment security from external sources that our team of experts consider reliable.