PCI DSS Merchant Services

💳 PCI DSS Compliance & Merchant Services

🛡️ PCI DSS Level 1 Service Provider

SMRT Payments maintains the highest level of PCI DSS compliance as a Level 1 Service Provider, processing over 6 million transactions annually. Our comprehensive security program protects cardholder data throughout the payment ecosystem for merchants, ISOs, and business partners.

1. PCI DSS Compliance Framework

12 Core Requirements:

Requirement 1: Install and maintain network security controls
Requirement 2: Apply secure configurations to all system components
Requirement 3: Protect stored cardholder data
Requirement 4: Protect cardholder data with strong cryptography during transmission
Requirement 5: Protect all systems and networks from malicious software
Requirement 6: Develop and maintain secure systems and software
Requirement 7: Restrict access to cardholder data by business need to know
Requirement 8: Identify users and authenticate access to system components
Requirement 9: Restrict physical access to cardholder data
Requirement 10: Log and monitor all access to network resources and cardholder data
Requirement 11: Test security of systems and networks regularly
Requirement 12: Support information security with organizational policies and programs

🔐 Cardholder Data Security

Zero Storage Policy: SMRT Payments does not store, process, or transmit cardholder data in non-compliant systems

Tokenization: All sensitive data replaced with non-sensitive tokens for merchant processing

Encryption Standards: AES-256 encryption for data at rest, TLS 1.3 for data in transit

Key Management: FIPS 140-2 Level 3 Hardware Security Modules (HSMs) for cryptographic key protection

2. Merchant PCI Compliance Support

Merchant Level	Transaction Volume	Validation Required	SMRT Support Services
Level 1	>6M transactions/year	Annual on-site assessment	QSA coordination, remediation support
Level 2	1M-6M transactions/year	Annual SAQ + quarterly scan	SAQ assistance, vulnerability scanning
Level 3	20K-1M e-commerce/year	Annual SAQ + quarterly scan	Compliance tools, security training
Level 4	<20K transactions/year	Annual SAQ	SAQ completion assistance

3. POS Equipment Security

Point of Sale Device Management:

PTS-POI Certification: All terminals meet Payment Card Industry Point-to-Point Encryption standards
Tamper Detection: Hardware and software tamper-evident security features
Secure Key Injection: Cryptographic key loading in secure facilities
Remote Key Management: Over-the-air key updates and certificate management
Device Authentication: Mutual authentication between devices and payment systems

Terminal Security Features:

End-to-End Encryption: Point-to-point encryption from card reader to processor
PIN Security: Secure PIN entry and processing with TDES/AES encryption
EMV Compliance: Chip card processing with dynamic authentication
Contactless Security: NFC and mobile wallet security protocols
Application Security: Secure boot process and signed application validation

🏆 PCI P2PE Validation

SMRT Payments maintains PCI Point-to-Point Encryption (P2PE) validation, providing the highest level of security for card-present transactions through our certified terminal ecosystem.

4. Network Security Architecture

Segmentation & Access Controls:

Network Segmentation: Cardholder data environment (CDE) isolated from other networks
DMZ Implementation: Demilitarized zones for internet-facing applications
Firewall Configuration: Application-layer filtering and intrusion prevention
VPN Security: Multi-factor authentication for remote access
Wireless Security: WPA3 encryption and enterprise authentication

Monitoring & Intrusion Detection:

24/7 SOC Monitoring: Security Operations Center with real-time threat detection
SIEM Integration: Security Information and Event Management correlation
Behavioral Analytics: Machine learning-based anomaly detection
Forensic Capabilities: Digital forensics and incident response procedures

5. Merchant Onboarding & Risk Assessment

Due Diligence Process:

Business Verification: Comprehensive merchant background checks and business validation
Financial Review: Credit assessment and financial stability evaluation
Risk Classification: Industry-based risk assessment and monitoring levels
Compliance Validation: PCI DSS readiness assessment and gap analysis

High-Risk Industry Management:

Enhanced Monitoring: Increased transaction monitoring and review procedures
Reserve Requirements: Financial reserves and rolling reserve management
Compliance Oversight: Additional PCI DSS validation and security requirements
Chargeback Management: Proactive chargeback prevention and mitigation

📊 Merchant Risk Categories

Low Risk: Retail, restaurants, professional services with established business history

Medium Risk: E-commerce, recurring billing, higher ticket averages

High Risk: Adult entertainment, gambling, nutraceuticals, high chargeback industries

Prohibited: Illegal activities, sanctioned businesses, excessive risk exposure

6. Transaction Processing Security

Payment Processing Flow:

Authorization: Real-time fraud screening and card validation
Authentication: 3-D Secure and strong customer authentication
Tokenization: Sensitive data replacement with secure tokens
Settlement: Secure batch processing and fund settlement
Reconciliation: Transaction matching and dispute management

Fraud Prevention & Detection:

Machine Learning Models: AI-powered fraud detection and scoring
Velocity Checking: Real-time transaction pattern analysis
Geographic Filtering: Location-based transaction validation
BIN Analysis: Bank Identification Number validation and risk assessment
Device Fingerprinting: Unique device identification and tracking

7. Compliance Monitoring & Reporting

Continuous Compliance:

Quarterly Scanning: Approved Scanning Vendor (ASV) vulnerability assessments
Annual Assessments: Qualified Security Assessor (QSA) evaluations
Penetration Testing: Regular security testing and vulnerability remediation
Compliance Tracking: Merchant compliance status monitoring and reporting

Incident Response:

Breach Response Plan: Comprehensive incident response procedures
Forensic Investigation: PCI Forensic Investigator (PFI) engagement
Notification Procedures: Card brand and regulatory notification processes
Remediation Support: Security improvement and compliance restoration

📈 Compliance Metrics

Scan Compliance: >95% merchant compliance with quarterly vulnerability scans

SAQ Completion: 100% merchant Self-Assessment Questionnaire completion

Incident Response: <2 hour response time for security incidents

Remediation: 30-day average for vulnerability remediation

8. ISO & Partner Compliance

Independent Sales Organization Support:

ISO Registration: Assistance with card brand registration and compliance
Agent Training: PCI DSS awareness and compliance training programs
Portfolio Management: Merchant portfolio compliance monitoring
Residual Protection: Compliance violation impact mitigation

Partner Requirements:

Background Checks: Comprehensive ISO and agent background verification
Compliance Training: Mandatory PCI DSS and security awareness training
Ongoing Monitoring: Regular compliance assessments and portfolio reviews
Violation Response: Immediate action procedures for compliance violations

📞 PCI Compliance Contact

PCI Compliance Officer: [email protected]

Security Incident Reporting: [email protected]

Merchant Support: [email protected]

24/7 Security Hotline: 888.810.SMRT (7678)

PCI DSS Version: 4.0
Annual Assessment Date: March 2025
Certificate Expiration: March 31, 2026
Last Updated: January 20, 2025

← Back to Legal Center