Knowledgebase
Knowledgebase: PaperCut > Security and Privacy
PCI Compliance for PaperCut
on 12 August 2020 10:55 PM

What is PCI Compliance?

The PCI (Payment Card Industry) is the international standards and compliance body for credit card data management and security.

PCI publish and maintain a set of standards, PCI DSS, and require that any site dealing with or handling credit card payments conform to the appropriate portion of the standard. The measures required, and the proof of compliance required, vary according to the degree of risk that a given site is deemed to pose.

Does PaperCut MF or NG process or store credit card data?

In a word, no.

PaperCut supports a number of Payment Gateways.

The good news here is that the PaperCut MF or NG Application Server itself never processes or stores credit card data. All of the credit card gateways that we support offer an integration architecture that uses URL redirect to direct the user’s browser to the payment gateway website when a user wishes to top up their account. What this means is that you’ll actually be redirected to the Payment Provider site (e.g. PayPal, Blackboard etc) to complete the payment transaction - you won’t ever give your credit card details to the PaperCut Application Server.

How does PCI Compliance impact PaperCut MF or NG?

Compliance with PCI standards will be important for PaperCut customers wishing to use credit card payment gateways for user print credit top-ups. The PCI standards assign different levels of risk to different categories, and for each category there is a document describing compliance requirements.

As noted above, because the Application Server never processes or stores credit card data, this means that correctly deployed implementations of the PaperCut integration will come under the PCI DSS category SAQ A for compliance purposes.

Please note that although PCI DSS v3 (enforced as of March 2015) introduces a new category, SAQ A-EP, for some kinds of payment gateway interaction, the PCI have confirmed that this does not apply to gateway integrations such as those implemented in PaperCut, which continue to be covered by SAQ A. This also applies to the current PCI DSS v3.2.1 (as of May 2018).

It is also worth reviewing two relevant FAQs from the PCI website:

Compliance requirements for SAQ A are documented in downloadable PDFs available from the PCI security standards website. The correct document as of time of writing is SAQ A v3.2.1 (May 2018).

In most cases, a self-assessment describing the site components and basic security measures taken (e.g. virus protection) will suffice to meet PCI compliance requirements. However, PaperCut recommend that any customer wishing to use credit cards for top ups works with their payment gateway provider, makes themselves familiar with the relevant PCI standards, and if necessary engages a qualified PCI compliance advisor conversant with the latest standards and well-versed in systems architecture.