Stitch earns fintech compliance certification

Earlier this month, we received our official PCI DSS Service Provider Level 1 Certification. This marks a significant step in our ongoing efforts to ensure the highest level of safety and security on our platform, and to remain compliant within the industry for the protection of the clients we serve and end-users transacting via Stitch.

The PCI certification process included a comprehensive third-party assessment of our security policies, management, software design and network architecture, in addition to other critical, protective measures. 

Fintech regulation and compliance

As a fintech company and payments service provider (PSP), it’s our responsibility to ensure we adhere to relevant regulations and industry standards within the financial sector. We provide the infrastructure that enables businesses to collect payments from their customers’ accounts (via Instant EFT, Card, Cash, Manual EFT and Debit Order), orchestrate and reconcile transactions and send payouts to customers, suppliers and more.  

Frameworks vary depending on geography, but the PCI DSS Service Provider Level 1 Certification is an incredibly stringent, internationally recognised standard. While Stitch is headquartered in South Africa, many of the businesses we work with operate across the globe, which means scaling our security protocols across regions is extremely important.

This set of security standards is designed to ensure that all payments companies accepting, processing, storing or transmitting credit, debit or prepaid card information maintain a secure environment, keeping all members across the value chain safe. 

What are fintech compliance regulations?

Being compliant means ensuring measures that adhere to laws and fintech compliance regulations on data and consumer protection, Anti-Money Laundering (AML), Know Your Customer (KYC), and more, are in place. Beyond this, it enables fintechs to mitigate risks associated with financial activity like fraud and the illicit use or misuse of funds.

As fintech services and platforms become more ubiquitous, concerns around fraud mount. The growth of the industry - in South Africa, and the rest of the world - has introduced new ways for fraudsters to exploit vulnerabilities. In South Africa, common types of fraud in the fintech space include identity theft, phishing attacks, payment fraud and unauthorised access to financial accounts, which affect both businesses and consumers.

The rise of financial crime has made it crucial for all companies operating in the ecosystem to ensure they’ve got protocols in place to prevent fraud from happening in the first place. 

Overview of PCI Data Security Standard (PCI DSS)

In an effort to improve the safety of consumer data and trust within the payments sector and to protect against data breaches, Visa, Mastercard, American Express, Discover and JCB joined forces to form the Payment Card Industry Security Standards Council (PCI SCC) in 2006. By managing and regulating security standards for companies handling card data, this baseline has become the industry standard for all financial services companies.

Briefly, PCI DSS compliance is made up of three components:

1. Ensuring sensitive card details are collected and transmitted securely
2. Storing data security as outlined in the 12 security domains of the PCI standard, including encryption, ongoing monitoring and security testing of access to card data 
3. Annually verifying that the required security controls are correctly implemented by way of third-party audits, external vulnerability scanning services, and more

See a step-by-step guide of the four levels of requirements via Stripe.

Who needs to be PCI Compliant?

The level of PCI compliance required varies depending on the volume of transactions, and whether cardholder data is processed. But any organisation processing transactions or managing payment card data - regardless of size or industry - should regularly assess its PCI DSS compliance obligations and take appropriate steps to meet requirements.

Primarily relevant to businesses accepting credit or debit card payments, companies that need to be PCI compliant include:

• Merchants: Any organisation that processes cardholder data as a form of payment is expected to comply with PCI DSS. This includes retailers, online businesses, restaurants, hotels, and other service providers processing card payments 
• Service providers: Third-party service providers handling payment card data on behalf of merchants or other organisations. This includes payment processors, payment gateways, hosting providers and other entities with access to cardholder data.

Essentially, any business that enables the flow of money from one store of funds to another, and/or has access to sensitive customer financial data is required to ensure they’re compliant.

In certain cases, PSPs like Stitch, who hold this certification, are able to mitigate the need for the businesses they serve to obtain their own. However, it’s important to distinguish the role Stitch plays in the transaction process. While we facilitate transactions between businesses and their end-users’ accounts, we do not invest funds on behalf of users and do not hold their funds for them. 

Risks of PCI non-compliance

Non-compliance poses several significant risks to organisations operating in the financial sector. These include but are not limited to:

1. Financial penalties. Payment card companies can impose fines on businesses found to be non-compliant. Depending on the severity of the violation and transaction volumes, these fines can range from thousands to millions of dollars. 
2. Loss of consumer and industry trust. Non-compliance has the potential to severely damage the trust and reputation of an organisation. If customers perceive their payment data is not properly protected, they’ll likely take their business elsewhere. Moreover, a data breach resulting from non-compliance could lead to negative publicity, customer churn and loss of brand loyalty.
3. Data breaches and compromised cardholder information. Non-compliance drastically increases the risk of data breaches and unauthorised access to cardholder data. This can result in financial losses, identity theft, fraudulent transactions, and potential legal liabilities. 
4. Legal consequences. Non-compliance could mean an organisation is in violation of legal and regulatory requirements, leading to potential legal action from affected individuals, government or law enforcement. 
5. Increased risk of cyberattacks. Hackers tend to target businesses with weak security measures, exploiting vulnerabilities to gain unauthorised access to payment card data. The impact of these attacks has the potential to be incredibly financially and reputationally damaging.

To mitigate these risks, it’s crucial for organisations required to comply with PCI DSS to have the correct security controls in place and to regularly assess these implementations by way of third-party audits and assessments. 

How to become PCI Compliant

For a comprehensive overview of how a business can become PCI DSS compliant, see this resource from the PCI Standards Council.

For merchants and other businesses looking to process card payments, choosing a PSP like Stitch with PCI DSS certification significantly reduces the costs and time associated with acquiring their own. 

What does this mean for Stitch and Stitch clients?

We understand our role in the payments space, and we understand the level of trust placed in us by our clients. Having a PCI DSS Service Provider Level 1 certification allows us to process their cardholder information with the internationally recognised security and data mechanisms in place.

The benefits for current and future Stitch clients include:

• Robust security measures to protect cardholder data. You can enjoy increased confidence that sensitive payment card information will be handled securely, reducing the risk of data breaches and associated liabilities. 
• Reduced scope of compliance efforts. By partnering with a certified PSP, you can offload some of your compliance obligations and simplify your own overall compliance process. 
• Enhanced reputation and trust. By working with a certified PSP, trustworthiness through our certification is passed onto your business, demonstrating the importance placed on security protocols to your customers. 
• Risk mitigation. Your risk of non-compliance is reduced, as well as the associated negative consequences. 
• Expertise and support. PCI DSS certification requires PSPs to have a deep understanding of security practices and compliance requirements. Our anti-fraud and compliance teams can provide guidance and expertise navigating the complexities associated with card payments security.
• Ongoing security monitoring. We’re required to maintain continuous security monitoring and to undergo regular assessments to maintain our certification. Our proactive approach to security means you can rest assured we’re committed to maintaining a secure payments processing environment
   

For all transactions from alternative payment methods that do not utilise cardholder data, Stitch enforces a number of additional strict industry standard controls. These include the maintenance of a secure network and system through the implementation of robust firewalls and access controls.

We also practice stringent data management and protection through the use of encryption and regularly monitor these systems through internal tests. Our data protection and information security policies move through constant iteration in order to ensure that we proactively mitigate any potential threats to Stitch’s payment and client data.