What does it mean to be HIPAA, PCI Level 1, VP2PE, and QIR compliant in the world of credit card processing? Learn the lingo and know what certifications to verify when choosing a payment gateway or any solution that touches payments.
If you accept credit cards, you must comply with Payment Card Industry Data Security Standards. There’s no exception. Anyone who advises that a solution means you don’t have any responsibility is dead wrong. The PCI Security Standards Council (PCI SSC) mission is to enhance payment account data security by fostering broad adoption of the PCI Security Standards. The organization was founded by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International. The council sets the standards, the card brands levy penalties and fines for non-compliance.
PCI Level 1 Service Provider
If a third party entity provides services for, or on behalf of a Merchant, and those services control or could impact the security of cardholder data or of transactions that are processed, that entity is a PCI Service Provider for the Merchant and falls within the Merchant’s scope of PCI DSS compliance. For example, if you accept payments online, the payment gateway is a PCI Service Provider. Or if you use a lockbox company, they must be certified. PCI Level 1 is the most common PCI Compliance certification for a service provider. You can verify if a service provider is compliant with Visa here https://www.visa.com/splisting/searchGrsp.do. If the company you’re doing business with is not on the list, ask questions.
If a software application controls or could impact the security of cardholder data or of transactions that are processed, for PCI compliance, merchants must only use Payment Application Data Security Standards that are certified. For example, a lock box company that processes transactions or a retail point of sale system. If payments are segregated from the application, then PA DSS does not apply. In my experience, this is a weak area for merchants because not all application providers understand their requirements; some will do the standard PCI scan and say they’re PCI Compliant, but in reality, they’re using a homegrown application to process transactions which they have not certified.
There is no Health Insurance Portability and Accountability (HIPAA) certification for service providers and it does not fall under the purview of the PCI Council. However, a PCI Service Provider may choose to engage a third party auditor to attest compliance in order to better serve merchants in industries that require HIPAA compliance.
Organizations qualified by PCI SSC as Qualified Integrator and Reseller Companies (QIR Companies) are authorized to implement, configure, and/or support validated PA-DSS Payment Applications on behalf of merchants or service providers for purposes of performing Qualified Installations as part of the QIR Program. Level 4 merchants were a big portion of data breaches so as of January 2017, they’re mandated to only use QIR certified individuals for their implementations and maintenance. Level 4 are merchants with less than 20,000 Visa or MasterCard e-commerce transactions annually, and all other merchants processing up to 1 million Visa or MasterCard transactions annually. QIR applies to individuals; a company may have multiple people certified.
Point-to-point encryption (P2PE) is a standard established by the PCI Security Standards Council. The objective of P2PE is to provide a payment security solution that instantaneously converts confidential payment card (credit and debit card) data and information into indecipherable code at the time the card is swiped to prevent hacking and fraud. It is designed to maximize the security of payment card transactions in an increasingly complex regulatory environment.
VP2PE is not an official acronym of the PCI Council for Validated P2PE, but it is descriptive. The P2PE Standard defines the requirements that a “solution” must meet in order to be accepted as a PCI validated P2PE solution. A “solution” is a complete set of hardware, software, gateway, decryption, device handling, etc. Validated solutions are listed in the PCI Council web site. They reduce PCI compliance scope and burden for merchants. For example, about 35 questions vs 359, and 4 sections instead of 12.
Today there are only 42 companies with 49 validated solutions in the entire world. Some of the solutions are only valid with a particular acquirer. For merchants seeking an agnostic VP2PE solution, the list gets very small.
CenPOS, a payment technology provider, has a Health Insurance Portability and Accountability (HIPAA) attestation from a third party external auditor across a broad range of payment solutions offered by the company. CenPOS is listed as a registered Level 1 Service Provider on the Visa web site; and is listed on the PCI Council web site VP2PE solutions and QIR sections. The CenPOS Validated P2PE solution is compatible with many acquirers. You can also find me, Christine Speedy, under QIR certifications when searching by name. (CenPOS is not a software application so is not listed as PA DSS.
Christine Speedy, CenPOS Sales 954-942-0483, 9-5 ET is based out of South Florida and NY. CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement. CenPOS secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships. When you call Christine, there is no middle man; all agreements are direct with CenPOS. As one of the very first to sell for CenPOS, I have deep experience to help merchants understand benefits and get live fast.