Protect your customer data and stay compliant.
Even minor compliance violations put the personal information of your customers at risk and make your business vulnerable to hefty fines. Our expertise helps you maintain full compliance with international legislations and industry standards. We also keep you in line with global trade regulations, so you don’t inadvertently do business in embargoed countries.
Our Global Compliance Capabilities
Payment Card Industry Data Security Standard (PCI DSS) ComplianceStrict PCI DSS compliance is necessary for any business accepting credit card payments. We provide continuous monitoring of PCI DSS compliant infrastructure, processes and scope, all of which are updated at least every two years.
Channel Partner ComplianceIf you do business with channel partners (affiliates, resellers, etc.), we will actively screen them to make sure they also maintain compliance with global standards.
Secure International Sales & Data TransferWe only accept credit card orders submitted according to PCI DSS standards. Our platform supports submission of orders via state-of-the-art secure encryption layers, and we process all transaction requests and transaction results via HTTPS. Cryptographic controls provide effective mechanisms for protecting the confidentiality, authenticity and integrity of information – and our policies include the use of encryption and key management.
Our Global Compliance Capabilities (Continued)
Preventing Transactions in Embargoed CountriesWe have automated and manual screening as well as escalation processes in place for embargoed countries and individuals or organizations on the Specially Designated Nationals and Blocked Persons (SDN) watch list. Non-compliance with U.S. export regulations can lead to 10 to 30 years of imprisonment and fines between $50,000 and $10,000,000.
Quarterly System ScansWe use an Approved Scanning Vendor (ASV) to run quarterly scans of our card data environment.
European Privacy Law ComplianceEuropean legislation mandates an adequate level of data protection when collecting, processing and storing customer data. We prevent you from violating privacy laws in Europe, including:
- German Federal Data Protection Act (FDPA) — Non-compliance can cost your business up to 300.000€ per violation.
- European General Data Protection Regulation (GDPR) — Going into effect in 2018, violating this regulation may audit a fine up to 20,000,000€ (or up to 4% of the annual worldwide turnover, whichever is greater).
- Data breach penalties — We’ve implemented incident response and escalation procedures using industry standard policies (e.g., NIST 800-61). Our incident response and escalation procedures are tested annually, at the very minimum.
What are the real costs of PCI DSS compliance?
Following PCI DSS regulations is necessary for accepting credit card payments, but compliance doesn’t come cheap. Partner with cleverbridge and we'll cover the following costs:
Initial ImplementationAs estimated by Gartner for level 1 merchants (processing in excess of 6 million transactions of a single card type per year), implementation costs include:
- $200k for assessing the scope of required PCI DSS work (scope assessment during initial implementation)
- $600k - $1.1million to meet the requirements
Recurring Auditing FeesThese hinge on a variety of factors – company size, number of transactions processed annually, existing infrastructure, credit card data scope, etc. Initial implementation is quite costly. For level 1 merchants, the average annual audit cost is $225k.
Potential Violation FinesWe protect you from major PCI DSS non-compliance fines, including:
- Up to $90 fine per cardholder data compromised
- Suspension of credit card acceptance
- Loss of brand reputation
- The cost of a PCI Qualified Forensic Investigator ($130-200 per hour for a one to two year project)
ISAE 3402 Type II
We leverage third party assurance reports so we can provide our clients with visibility into our internal controls as a service organization. A leading independent auditor performs the annual ISAE 3402 Type II audit through reviews and tests of our operational procedures and controls.
TRUSTed Cloud Privacy
PCI DSS Service Provider Level I
We maintain PCI DSS Service Provider Level I status, which has the following validation requirements:
- Passing an annual assessment in which a Qualified Security Assessor (QSA) examines the compliance of the PCI environment in detail
- Quarterly network scans by an Approved Scanning Vendor (ASV)