Payment Vendors: How to Choose the Right Ones

INTRODUCTION

If you are currently processing electronic payments or you are looking into doing so in the future, one of the most important things to keep in mind is finding the best payment vendors and service providers to help you process those payments.

According to the Payment Card Industry, a payment application is any hardware or software that processes, transmits or stores card data electronically. A few examples of payment applications are card swipe terminals, eCommerce/webstores, and online bill pay portals.

A service provider is a business entity that is directly involved in the processing, transmitting, and storage of cardholder data but is not a payment brand. A few examples of service providers are hosting providers and entities providing managed services like firewalls.

We have put together a list of requirements and certifications from PCI that you should review with your current or potential payment vendors to ensure that you are properly securing your customers’ card data.

Types of Payment Vendors
What do you want to do?Payment vendor/service provider that you will needPCI Standard or Certification that you should look forWhere to find their validation
Process, store, and/or transmit cardholder data Payment Application Vendor Payment Application Data Security Standard (PA-DSS)PCI PA-DSS List of Validated Payment Applications
Accept card payments through hardware terminal devicesPayment Terminal VendorPIN Transaction Security (PTS) PCI List of Approved PTS Devices
Use a cloud-based payment applicationSoftware as a Service ProvidersPCI DSS Provider must have a PCI DSS Attestation of Compliance and be on one of the following lists:
Compliant Service Providers – MasterCard
Compliance Service Providers – Visa

QUESTIONS TO ASK YOUR PAYMENT VENDORS

Once you are aware of the types of vendors you will need to help you through your payment collection process, you can verify your potential vendors with the following questions.

  1. Where does your solution store the payment card data? If the answer is:
    • Locally – Ask question 2
    • Off-Site – Ask question 3
  2. Is it PA-DSS certified? If the answer is:
  3. Is the location of the off-site payment storage PCI-DSS certified? If the answer is:

HOW NODUS CAN HELP

Nodus takes payment security and PCI compliance very seriously. All of Nodus’ payment applications are PA-DSS certified, and we ensure that every version of our solutions has been tested and validated before we release it to our customers. Besides our ePayment processing, online bill pay, and eCommerce solutions, Nodus offers a few additional solutions to help merchants protect the payment data that they are processing and storing.

Point-of-Entry

Nodus PayFabric has been integrated with certain card readers to provide merchants the ability to accept EMV over the traditional magnetic stripe information. One device we support is PAX S300, a retail smart PINpad that encrypts and protects all transaction information. We also support the PAX D210, a mobile payment device that interacts with customers via Bluetooth, WiFi, or cable connection. This device has state of the art security functions and has been certified through the PCI Security Council.

The PAX S300 and PAX D210 devices are on PCI List of Approved PTS Devices

PTS requirements ensure a hardware device helps a merchant’s PCI DSS compliance efforts. With PTS approved devices, it’s much easier for merchants to secure sensitive card data at the point of interaction, so that in combination with PCI DSS and PA-DSS, the processing, transmitting and storage of account data is better protected.

Storage

Nodus PayFabric is a cloud-based storage engine that removes sensitive credit card data from the merchant’s environment and stores it off-site in the cloud. It also uses an iframe to pull the credit card information directly from the point-of-entry, preventing the credit card number from ever even touching your website or database.

PayFabric is PCI DSS Level 1 Compliant:

Point-to-Point Encryption

Another concern is having the credit card information entered into an organization’s system unencrypted. Nodus has partnered with Bluefin payment systems, who specializes in integrated payment and P2PE (Point-to-Point Encryption) security technology. Using Bluefin’s P2PE supported device, merchants can further enhance the security at the point-of-entry by encrypting the data as soon as it is collected.

Bluefin P2PE is a PCI certified Point-to-Point Encryption solution. Check out their validation here: PCI Point-to-Point Encryption Solution

Nodus Technologies, Inc.

Nodus Technologies provides businesses and developers with integrated payment solutions for Microsoft Dynamics ERPs and CRM, on-premises or in the cloud.  Our expertise in electronic payment processing, B2B & B2C eCommerce, online bill pay, and cloud payment solutions assists organizations of any size and industry with achieving PCI compliance while automating accounts receivables, expediting funding, and improving the customer experience.

Nodus can help merchants obtain PCI Compliance by providing certified payment applications, P2PE and EMV-supported devices, and cloud-based processing and storage technology.