Payment card data is considered Confidential in Simplifya's Data Classification Standard. It includes the cardholder name, credit or debit card number, expiration date, and card security code. Our primary means of mitigating the risk associated with payment card data is to leverage the security mechanisms of our service providers, Stripe and Intuit (QuickBooks Online).
Any business involved with the processing, transmission, or storage of card data must comply with the Payment Card Industry Data Security Standard (PCI DSS). As required by the PCI DSS, both Stripe and Intuit are regularly audited by an independent PCI Qualified Security Assessor (QSA) and certified as a PCI Level 1 Service Provider. This is the most stringent level of certification available in the payments industry.
Also as required by the PCI DSS, Simplifya annually completes a Self-Assessment Questionnaire (SAQ). Based on the way in which we integrated with Stripe and the methods we use to collect card data, we validate using an SAQ of Type A. Simplifya is eligible to use the SAQ A to prove compliance because all form inputs containing card data are hosted within an iframe served from Stripe's domain - not Simplifya's - so card information never touches Simplifya servers.
See the article on PCI Compliance for more detailed information and to verify the compliance of our service providers.
Comments
0 comments
Please sign in to leave a comment.