PCI Compliance for PaperCut MF/NG
The PCI (Payment Card Industry) is the international standards and compliance body for credit card data management and security.
PCI publish and maintain a set of standards, PCI DSS, and require that any site dealing with or handling credit card payments conform to the appropriate portion of the standard. The measures required, and the proof of compliance required, vary according to the degree of risk that a given site is deemed to pose.
PCI auditing is about ensuring a particular site is compliant with the PCI standards. As such, the PCI do not generally certify individual applications (unless the application is a Payment Application according to the PCI definition) - they certify the end-to-end deployment and implementation of all software/hardware components at each site. This is why PaperCut itself is not PCI certified. PaperCut is, however, PCI-compliant - if properly deployed in an otherwise PCI-compliant environment then the site will still pass a full PCI audit. PaperCut is currently in operation at many sites with high levels of regular PCI (and other) security auditing and has had no issues.
In a word, no.
PaperCut supports a number of Payment Gateways (check out the Discover section covering Print Charging Architecture and Overview and also the ‘Payment Integrations’ section of this Full List of PaperCut Integrations).
The good news here is that the PaperCut MF or NG Application Server itself never processes or stores credit card data. All of the credit card gateways that we support offer an integration architecture that uses URL redirect to direct the user’s browser to the payment gateway website when a user wishes to top up their account. What this means is that you’ll actually be redirected to the Payment Provider site (e.g. PayPal, Blackboard etc) to complete the payment transaction - you won’t ever give your credit card details to the PaperCut Application Server.
Compliance with PCI standards will be important for PaperCut customers wishing to use credit card payment gateways for user print credit top-ups. The PCI standards assign different levels of risk to different categories, and for each category there is a document describing compliance requirements.
As noted above, because the Application Server never processes or stores credit card data, this means that correctly deployed implementations of the PaperCut integration will come under the PCI DSS category SAQ A for compliance purposes.
Please note that although PCI DSS v3 (enforced as of March 2015) introduces a new category, SAQ A-EP, for some kinds of payment gateway interaction, the PCI have confirmed that this does not apply to gateway integrations such as those implemented in PaperCut, which continue to be covered by SAQ A. This also applies to the current PCI DSS v3.2.1 (as of May 2018).
It is also worth reviewing two relevant FAQs from the PCI website:
- Why is there a different approach for Direct-Post implementations than for iFrame and URL redirects?
- Why is SAQ A-EP used for Direct Post while SAQ A is used for iFrame or URL redirect?
In most cases, a self-assessment describing the site components and basic security measures taken (e.g. virus protection) will suffice to meet PCI compliance requirements. However, PaperCut recommend that any customer wishing to use credit cards for top ups works with their payment gateway provider, makes themselves familiar with the relevant PCI standards, and if necessary engages a qualified PCI compliance advisor conversant with the latest standards and well-versed in systems architecture.
In relation to PCI Standards, PaperCut is not a Service Provider as defined by the PCI standards. Please refer to page 20 of the PCI DSS glossary of terms (see their Document Library for the latest version). The key phrase is “…Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity” (our emphasis).
Service Providers for PCI compliance purposes are entities such as the host of a managed service (such as an externally managed firewall) or a payment gateway if the gateway doesn’t fall under one of the other definitions.
PaperCut is also not defined as a Payment Application (see page 15 of the glossary document) - the PaperCut software has no direct interaction with the end user or the payment gateway in regards to credit card details, data or payments. No credit card data (card numbers, CVNs, expiry dates) is ever passed to PaperCut or stored by PaperCut. All credit card processing and user interaction take place on the payment provider’s site.
For SAQ A compliance, you will need to document the PCI-DSS status of your payment gateway, and any other external or managed services that may affect your environment. The completion of this SAQ-A compliance attestation would need to be done by yourselves, as PaperCut MF is installed within your premises and therefore this would make you the host of the originating site. That said, we take security very seriously, and we are confident that PaperCut is compliant with all applicable standards. PaperCut MF is deployed, with active payment gateway integration, at many sites which are fully PCI-DSS audited and compliant. In those environments, the PaperCut infrastructure was part of the initial audit and continues regularly to be scanned and audited as per the PCI-DSS procedures required for our customers to maintain their PCI compliant status.
We have made changes to the PaperCut software (mainly around encryption standards) to maintain compliance as technology has changed and as the PCI standards have developed, and will continue to do so where required in future.
Keywords: security policy, security management, pci, dss, credit card, payment gateway