Stitch has acquired its official PCI DSS Service Provider Level 1 Certification - another milestone in ensuring we remain compliant and secure across our product portfolio.
Earlier this month, we received our official PCI DSS Service Provider Level 1 Certification. This marks a significant step in our ongoing efforts to ensure the highest level of safety and security on our platform, and to remain compliant within the industry for the protection of the clients we serve and end-users transacting via Stitch.
The PCI certification process included a comprehensive third-party assessment of our security policies, management, software design and network architecture, in addition to other critical, protective measures.
As a fintech company and payments service provider (PSP), it’s our responsibility to ensure we adhere to relevant regulations and industry standards within the financial sector. We provide the infrastructure that enables businesses to collect payments from their customers’ accounts (via Instant EFT, Card, Cash, Manual EFT and Debit Order), orchestrate and reconcile transactions and send payouts to customers, suppliers and more.
Frameworks vary depending on geography, but the PCI DSS Service Provider Level 1 Certification is an incredibly stringent, internationally recognised standard. While Stitch is headquartered in South Africa, many of the businesses we work with operate across the globe, which means scaling our security protocols across regions is extremely important.
This set of security standards is designed to ensure that all payments companies accepting, processing, storing or transmitting credit, debit or prepaid card information maintain a secure environment, keeping all members across the value chain safe.
Being compliant means ensuring measures that adhere to laws and fintech compliance regulations on data and consumer protection, Anti-Money Laundering (AML), Know Your Customer (KYC), and more, are in place. Beyond this, it enables fintechs to mitigate risks associated with financial activity like fraud and the illicit use or misuse of funds.
As fintech services and platforms become more ubiquitous, concerns around fraud mount. The growth of the industry - in South Africa, and the rest of the world - has introduced new ways for fraudsters to exploit vulnerabilities. In South Africa, common types of fraud in the fintech space include identity theft, phishing attacks, payment fraud and unauthorised access to financial accounts, which affect both businesses and consumers.
The rise of financial crime has made it crucial for all companies operating in the ecosystem to ensure they’ve got protocols in place to prevent fraud from happening in the first place.
In an effort to improve the safety of consumer data and trust within the payments sector and to protect against data breaches, Visa, Mastercard, American Express, Discover and JCB joined forces to form the Payment Card Industry Security Standards Council (PCI SCC) in 2006. By managing and regulating security standards for companies handling card data, this baseline has become the industry standard for all financial services companies.
Briefly, PCI DSS compliance is made up of three components:
See a step-by-step guide of the four levels of requirements via Stripe.
The level of PCI compliance required varies depending on the volume of transactions, and whether cardholder data is processed. But any organisation processing transactions or managing payment card data - regardless of size or industry - should regularly assess its PCI DSS compliance obligations and take appropriate steps to meet requirements.
Primarily relevant to businesses accepting credit or debit card payments, companies that need to be PCI compliant include:
Essentially, any business that enables the flow of money from one store of funds to another, and/or has access to sensitive customer financial data is required to ensure they’re compliant.
In certain cases, PSPs like Stitch, who hold this certification, are able to mitigate the need for the businesses they serve to obtain their own. However, it’s important to distinguish the role Stitch plays in the transaction process. While we facilitate transactions between businesses and their end-users’ accounts, we do not invest funds on behalf of users and do not hold their funds for them.
Non-compliance poses several significant risks to organisations operating in the financial sector. These include but are not limited to:
To mitigate these risks, it’s crucial for organisations required to comply with PCI DSS to have the correct security controls in place and to regularly assess these implementations by way of third-party audits and assessments.
For a comprehensive overview of how a business can become PCI DSS compliant, see this resource from the PCI Standards Council.
For merchants and other businesses looking to process card payments, choosing a PSP like Stitch with PCI DSS certification significantly reduces the costs and time associated with acquiring their own.
We understand our role in the payments space, and we understand the level of trust placed in us by our clients. Having a PCI DSS Service Provider Level 1 certification allows us to process their cardholder information with the internationally recognised security and data mechanisms in place.
The benefits for current and future Stitch clients include:
For all transactions from alternative payment methods that do not utilise cardholder data, Stitch enforces a number of additional strict industry standard controls. These include the maintenance of a secure network and system through the implementation of robust firewalls and access controls.
We also practice stringent data management and protection through the use of encryption and regularly monitor these systems through internal tests. Our data protection and information security policies move through constant iteration in order to ensure that we proactively mitigate any potential threats to Stitch’s payment and client data.