PCI-DSS Compliance and FISPAN's Position

Posted by Clayton Weir on March 20, 2020 9:00 am

Compliance at FISPAN:

We have always intended for FISPAN to be a mission-critical vendor to banks, meaning our platform was subject to a series of non-functional requirements in order to work with banks. Our services interact with a range of PII and financially sensitive data, and we encrypt such data at rest, and in transit, using industry best practices. Being a compliant bank grade vendor is one of our core values at FISPAN and part of why we became SOC II-Type 2 certified and are pursuing our ISO 27002 designation in 2020. 


FISPAN’s platform covers a wide range of business banking product lines, including use cases that involve credit cards for both payables and receivables. As Push2Card and Virtual Credit Card become more prominent as pay types, the question of FISPAN’s compliance to PCI-DSS sometimes comes up. 


What is PCI Compliance?

PCI-DSS Payment Card Industry – Data Security Standard is an industry-wide governance program organized by the PCI Security Standard Council. Their goal is to help all of the participants in the Credit Card processing value chain to operate in a secure and safe fashion. 


Why FISPAN does not state PCI Compliance:

Generally, the answer is quite simple; FISPAN by design never directly interacts with  clear-text or primary payment card data.  Fintechs, Banks and the Card Networks have invested heavily in powerful developer tools to enable diverse application experiences to be built without piercing the PCI-Compliance stack. So, while we orchestrate data exchange between bank clients and a wide range of bank or fintech systems, only tokenized card aliases traverse FISPAN systems. With all current implementations, FISPAN receives a token or unique client reference back from the processor so we can transact in the future still not needing to ever interact with PCI information directly. We then make an attestation of this design pattern to your compliance people. 


What the future holds

While we have no short term plans to pursue PCI compliance, we have done the analysis and believe that the FISPAN platform was designed with similar security and control principles and would be able to achieve the certification with little to no remediation to the platform or our policies. If a compelling need and opportunity arise that require a change in our posture, we will evaluate it. 


We believe this principle of designing FISPAN to be out of scope is best for our partners and vendors as it simplifies their various compliance value chains and allows us to focus on what we do best, building impactful business banking experiences for clients.   For more information, contact us.