All Payment Facilitators are required to be compliant with PCI DSS (Payment Card Industry Data Security Standards) as either a Level 1 (processing more than 300,000 transactions annually) or Level 2 (processing less than 300,000 transactions annually) Service Provider.
The PayFac’s third-party processor and acquiring bank will set the specific PCI Service Provider requirements but more often than not, these parties will be hesitant to take a PayFac live without a Level 1 compliance assessment by a third-party QSA (Qualified Security Assessor). Level 2 Service Providers will also sometimes choose to validate as a Level 1 in order to be on Visa’s Global Registry of Approved Service Providers. A summary of the various requirements for PCI Service Providers is detailed below, including the different routes a PayFac can take to become PCI compliant.
Please Note - The PayFac’s specific PCI approach will differ depending on whether the PayFac is using Finix’s Tokenization & Vaulting solution (thus, significantly reducing its PCI scope) or building out its own secure architecture for storing and/or processing payment card information.