PCI Requirements

Document created by jordanbarhorst on May 10, 2016Last modified by jordanbarhorst on Jun 1, 2016
Version 3Show Document
  • View in full screen mode

Because of the increased complexity of acting as a Payment Facilitator and aggregating payments, PayFacs face additional requirements related to PCI as well as added requirements from the card brands.


While these may not impact the developer directly, PCI requirements are important to understand because they can affect how a developer builds applications and their strategies related to maintenance, certification and their choice of security technologies.


Additional information is provided in the Vantiv PayFac Integration Guide available to Vantiv O.N.E. members.


PayFacs will generally need to provide the following items for PCI compliance and registration requirements:


  • Level 1 Service Provider PCI DSS Compliance Validation documentation

  • A documented process explaining how the PayFac validates PCI compliance of sub-merchants    


Vantiv’s Compliance team will work with you as a PayFac to register you with Visa, MasterCard and Discover as an aggregator. Typical requirements include but are not limited to the following information:


  • PCI DSS Compliance must by achieved prior to registration with the payment brands    

  • Completed Payment Brand Registration Forms    


Payment brands may have their own specific requirements, and your Vantiv integration consultant can help advise what additional requirements may exist.


For example, VISA has a registered service provider program designed for aggregators and payment facilitators and have their own specific requirements for  third party agents (https://usa.visa.com/dam/VCOM/download/merchants/tpa-registration-program-faqs.pdf).