PCI Compliance for PaperCut MF/NG

What is PCI Compliance?

The PCI (Payment Card Industry) is the international standards and compliance body for credit card data management and security.

PCI publish and maintain a set of standards, PCI DSS , and require that any site dealing with or handling credit card payments conform to the appropriate portion of the standard. The measures required, and the proof of compliance required, vary according to the degree of risk that a given site is deemed to pose.

PCI auditing is about ensuring a particular site is compliant with the PCI standards. As such, the PCI do not generally certify individual applications (unless the application is a Payment Application according to the PCI definition) - they certify the end-to-end deployment and implementation of all software/hardware components at each site. This is why PaperCut itself is not PCI certified. PaperCut is, however, PCI-compliant - if properly deployed in an otherwise PCI-compliant environment then the site will still pass a full PCI audit. PaperCut is currently in operation at many sites with high levels of regular PCI (and other) security auditing and has had no issues.

Does PaperCut MF or NG process or store credit card data?

In a word, no.

While PaperCut supports a number of Payment Gateways (see: Print Charging Architecture and Overview and the ‘Payment Integrations’ section in our Full List of PaperCut Integrations ) the PaperCut MF or NG Application Server itself never processes or stores credit card data.

All of the credit card gateways that we support involve redirecting the user’s browser to the Payment Provider’s website when they wish to top up their account. What this means is that you’ll actually be redirected to a 3rd party site (e.g. PayPal, Blackboard etc) to complete the transaction. Users won’t ever give credit card details to the PaperCut software.

How does PCI Compliance impact PaperCut MF or NG?

Compliance with PCI standards will be important for PaperCut customers wishing to use credit card payment gateways for user print credit top-ups. The PCI standards assign different levels of risk to different categories, and for each category there is a document describing compliance requirements.

As noted above, because the Application Server never processes or stores credit card data, this means that correctly deployed implementations of the PaperCut integration will come under the PCI DSS category SAQ A for compliance purposes.

Please note that although PCI DSS v3 (enforced as of March 2015) introduces a new category, SAQ A-EP, for some kinds of payment gateway interaction, the PCI have confirmed that this does not apply to gateway integrations such as those implemented in PaperCut, which continue to be covered by SAQ-A. This also applies to the current PCI DSS v3.2.1 (as of May 2018).

It is also worth reviewing two relevant FAQs from the PCI website:

• Why is there a different approach for Direct-Post implementations than for iFrame and URL redirects?
• Why is SAQ A-EP used for Direct Post while SAQ A is used for iFrame or URL redirect?

Compliance requirements for SAQ A are documented in downloadable PDFs available from the PCI security standards website .

In most cases, a self-assessment describing the site components and basic security measures taken (e.g. virus protection) will suffice to meet PCI compliance requirements. However, PaperCut recommend that any customer wishing to use credit cards for top ups works with their payment gateway provider, makes themselves familiar with the relevant PCI standards, and if necessary engages a qualified PCI compliance advisor conversant with the latest standards and well-versed in systems architecture.

Can you give me a PCI AOC (Attestation of Compliance) Certificate?

Yes, our “Self-Assessment Questionnaire A and Attestation of Compliance” is available through our Trust Portal under PCI-DSS (SAQ-A).