PCI Compliance for PaperCut MF/NG

What is PCI Compliance?

The PCI (Payment Card Industry) is the international standards and compliance body for credit card data management and security.

PCI publish and maintain a set of standards, PCI DSS, and require that any site dealing with or handling credit card payments conform to the appropriate portion of the standard. The measures required, and the proof of compliance required, vary according to the degree of risk that a given site is deemed to pose.

PCI auditing is about ensuring a particular site is compliant with the PCI standards. As such, the PCI do not generally certify individual applications (unless the application is a Payment Application according to the PCI definition) - they certify the end-to-end deployment and implementation of all software/hardware components at each site. This is why PaperCut itself is not PCI certified. PaperCut is, however, PCI-compliant - if properly deployed in an otherwise PCI-compliant environment then the site will still pass a full PCI audit. PaperCut is currently in operation at many sites with high levels of regular PCI (and other) security auditing and has had no issues.

Does PaperCut MF or NG process or store credit card data?

In a word, no.

PaperCut supports a number of Payment Gateways (check out the Discover section covering Print Charging Architecture and Overview and also the ‘Payment Integrations’ section of this Full List of PaperCut Integrations).

The good news here is that the PaperCut MF or NG Application Server itself never processes or stores credit card data. All of the credit card gateways that we support offer an integration architecture that uses URL redirect to direct the userโ€™s browser to the payment gateway website when a user wishes to top up their account. What this means is that you’ll actually be redirected to the Payment Provider site (e.g. PayPal, Blackboard etc) to complete the payment transaction - you won’t ever give your credit card details to the PaperCut Application Server.

How does PCI Compliance impact PaperCut MF or NG?

Compliance with PCI standards will be important for PaperCut customers wishing to use credit card payment gateways for user print credit top-ups. The PCI standards assign different levels of risk to different categories, and for each category there is a document describing compliance requirements.

As noted above, because the Application Server never processes or stores credit card data, this means that correctly deployed implementations of the PaperCut integration will come under the PCI DSS category SAQ A for compliance purposes.

Please note that although PCI DSS v3 (enforced as of March 2015) introduces a new category, SAQ A-EP, for some kinds of payment gateway interaction, the PCI have confirmed that this does not apply to gateway integrations such as those implemented in PaperCut, which continue to be covered by SAQ A. This also applies to the current PCI DSS v3.2.1 (as of May 2018).

It is also worth reviewing two relevant FAQs from the PCI website:

Compliance requirements for SAQ A are documented in downloadable PDFs available from the PCI security standards website. The correct document as of time of writing is SAQ A v3.2.1 (May 2018).

In most cases, a self-assessment describing the site components and basic security measures taken (e.g. virus protection) will suffice to meet PCI compliance requirements. However, PaperCut recommend that any customer wishing to use credit cards for top ups works with their payment gateway provider, makes themselves familiar with the relevant PCI standards, and if necessary engages a qualified PCI compliance advisor conversant with the latest standards and well-versed in systems architecture.

Can you give me a PCI AOC (Attestation of Compliance) Certificate?

In relation to PCI Standards, PaperCut is not a Service Provider as defined by the PCI standards. Please refer to page 20 of the PCI DSS glossary of terms (see their Document Library for the latest version). The key phrase is “…Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity” (our emphasis).

Service Providers for PCI compliance purposes are entities such as the host of a managed service (such as an externally managed firewall) or a payment gateway if the gateway doesn’t fall under one of the other definitions.

PaperCut is also not defined as a Payment Application (see page 15 of the glossary document) - the PaperCut software has no direct interaction with the end user or the payment gateway in regards to credit card details, data or payments. No credit card data (card numbers, CVNs, expiry dates) is ever passed to PaperCut or stored by PaperCut. All credit card processing and user interaction take place on the payment provider’s site.

For SAQ A compliance, you will need to document the PCI-DSS status of your payment gateway, and any other external or managed services that may affect your environment. The completion of this SAQ-A compliance attestation would need to be done by yourselves, as PaperCut MF is installed within your premises and therefore this would make you the host of the originating site. That said, we take security very seriously, and we are confident that PaperCut is compliant with all applicable standards. PaperCut MF is deployed, with active payment gateway integration, at many sites which are fully PCI-DSS audited and compliant. In those environments, the PaperCut infrastructure was part of the initial audit and continues regularly to be scanned and audited as per the PCI-DSS procedures required for our customers to maintain their PCI compliant status.

We have made changes to the PaperCut software (mainly around encryption standards) to maintain compliance as technology has changed and as the PCI standards have developed, and will continue to do so where required in future.


Categories: Reference Articles, Security and Privacy


Keywords: security policy, security management, pci, dss, credit card, payment gateway

Comments