Response:
Security Acknowledgement to Customers & Responsibility Matrix
PCI Compliance
This section covers the Payment Card Industry Data Security Standard compliance and your responsibilities as a third-party customer.
What is PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that all companies that process, store, or transmit credit card information maintain a secure environment.
Who is responsible
Nexternal Solutions, Inc is a PCI DSS compliant provider and validates annually all requirements (1- 12)(opens in a new tab). Nexternal's PCI DSS Attestation of Compliance (AOC)(available at request) describes the technology stack certified annually.
Nexternal Solutions, Inc. provides mobile and web based online ordering for merchants. During the online ordering process, cardholder data is collected and processed using Nexternal Solutions, Inc. processors. Credit card data is collected when an account is opened and saved for future orders. It can also be collected for one-time use at the time of order. Nexternal Solutions, Inc. uses tokenization solutions offered by Authorize.net, PayPal Payflow Pro, Global Pay, and Paymentech to allow customers to save payment information for future purchases.
Customers purchase products via Merchant websites hosted by Nexternal Solutions, Inc. Payments are then transmitted to Merchant Partners. Nexternal Solutions, Inc. acts as a payment gateway transmitting all payment information to Merchant Partners for processing.
Nexternal is responsible for maintaining secure handling of credit cards while the payment is en route from payment request to payment processors. Merchants, service providers, and other entities involved with payment card processing must never store sensitive authentication data after authorization. This includes the 3- or 4- digit security code printed on the front or back of a card, the data stored on a card's magnetic stripe or chip (also called “Full Track Data”) – and personal identification numbers (PIN) entered by the cardholder. As a third-party developer, it is your responsibility to program the storefronts and recurring billing apps in a PCI-compliant manner. If development affects the flow of sensitive credit card data, you will need to maintain a PCI compliance certification for third-party service providers certified by an external Qualified Security Assessor (QSA).
The following table outlines PCI compliance responsibilities based on the type of integration.
Responsibility matrix
|
Nexternal Responsibility
|
Customer Responsibility
|
Nexternal Solutions, Inc.
|
Responsible for all applicable PCI DSS
requirements (1-12)(opens in a new tab) of the product to the point that it has control
of merchant’s stores.
|
Responsible for ensuring that all modifications that result in external calls to or integrations with outside parties are done in a PCI DSS compliant manner.
|
|
|
Responsible for ensuring all design
modifications are done in a PCI DSS compliant manner.
|
|
|
Responsible for ensuring that all service providers it uses are
compliant with PCI DSS.
|
|
|
|
|