Print Reach Pay and PCI Compliance and AOC Follow
Some Merchant Processors require periodic PCI scanning and compliance with PCI standards. In some cases, Merchants will charge you extra fees if your scan isn't complete or report you're non-compliant. Generally, PCI scanning is recommended, however, it is not required, nor will Print Reach invoke any type of fee if it's not complete.
At Print Reach, we reduce your risk factors by having your systems store Credit Card Tokens and not Credit Card numbers. These tokens are like a password that only allows you to process transactions and they must be verified by our secure servers. This removes the risk associated with your data and systems and does not put the Credit Cards at risk.
If you are curious to understand what PCI standards apply to your business you can read more in-depth information in the link below. This article gives you a Self-Assessment Questionnaire depending on the services you offer to better understand your needs. You should review all of your services to find the correct questionnaire and typically we find most merchants fall under PCI SAQ C.: https://www.securitymetrics.com/blog/pci-standards-which-pci-saq-right-my-business
According to the PCI DSS, “Tokenization solutions do not eliminate the need to maintain and validate PCI DSS compliance, but they may simplify validation efforts by reducing the number of systems for which PCI requirements apply."
It is true that the elements of the tokenization system are part of the cardholder data environment and therefore in scope for PCI requirements. Thankfully those systems are handled by Print Reach and Fullsteam which means those systems are out of scope for the business taking the payments. (Your Business). Our tokenization system is approved through the PCI SSC and we protect our tokenization systems and processes with strong security measures.
PCI DSS also has a document called an Attestation of Compliance (AoC) which is a declaration of an organization's compliance levels. While Print Reach does not have an AOC our our parent company Fullsteam who is the payment facilitator does have an up-to-date AOC. Below are the websites for Visa and Mastercards list of payment facilitators which also states the validation they received.
- https://www.mastercard.us/en-us/business/overview/start-accepting/payment-facilitators.html
- https://www.visa.com/splisting/searchGrsp.do
On these lists, you will notice Fullsteam Operations LLC which is our parent company that handles all the processing of the payments.
Print Reach itself does not store or process any Credit Card details and only has information on tokens for transactions.
With that said If you find that you are in need of PCI compliance scanning then Print Reach has a PCI Partner called Security Metrics. If this is something you need please send a support ticket to Print Reach and we will request a new account for you through our support team.
This process involves working directly with Security Metrics to answer a questionnaire. Merchants will need to fill out a new questionnaire, they can't be transferred. During the setup of Security Metrics, the Merchant will need to provide their Public IP address(s).
Once set up, the scan will automatically happen quarterly and send email results.
If any help is needed filling out the questionnaire, you can contact the Security Metrics support team: 801-705-5700