PCI compliance
The Payment Card Industry Data Security Standard (“PCI DSS”) is an information security standard for organizations that handle branded payment cards. Apto is PCI DSS Level 1 certified. Organizations wanting to store, transmit, or process sensitive card data, such as the cardholder’s primary account number (“PAN”) and personal identification number (“PIN”), must comply with PCI DSS data security requirements. The PCI DSS certification process is time consuming and expensive.
To accommodate companies that are not PCI certified, we offer a PCI SDK so cardholders can view their card details and change their PIN seamlessly from your application. The PCI SDK protects sensitive card data and displays it to the cardholder without the data ever passing through your servers.
If you are PCI certified, we can configure your Production API keys to have the API expose PCI-related data to you and you can store, transmit, and process the data on your servers. The API returns this data in the card object. These fields are not present in the card object payload if you are not PCI certified. Please contact a Program specialist to learn more.
The USA PATRIOT Act requires various financial institutions to implement a Customer Identification Program (CIP) to verify the identities of persons with whom it does business. As an extension of our issuing bank, Apto, and therefore your card program, are required to abide by these verification regulations.
KYC
Overview
Apto can handle all aspects of your program’s KYC verification.
You’ll need to collect the following information in your application from card customers:
- Cardholder phone number
- Cardholder full name
- Cardholder physical address
- Cardholder date of birth
- Government tax identification number
and send it to us when creating a user either through the Mobile API or Core API. We process this information in real time to verify the cardholder’s identity. In other words, if there are no issues then cardholders get approved instantly. If we are unable to verify the customer’s eligibility from the information provided, we may ask for supporting documentation, which includes (but is not limited to) copies of:
- Social Security card
- Government issued ID
- Proof of address (such as a utility bill)
Apto requests this information by emailing the prospective cardholder on your behalf. We send a secure site for them to upload additional documents.
Changes on cardholder records
If a user changes email address, phone number, or mailing address, you are not required to re|run KYC. Instead, the user should contact Apto support and ask us to change the relevant details in our database. There is an SOP around this with various verification steps—give us your DOB, address, last 4 of the card, last 4 of the SSN, and so on.
If a user changes their email on your side, customers of Blue or Orange Programs can send a POST request to the Core API /cardholders endpoint to update the Apto database.
If you have already completed KYC on your users, or if you are intending to do so, Apto can work with our issuing bank to honor your Customer Identification Program through one of our Blue or Orange Programs.
In order to comply with CIP standards and record retention laws, Apto will maintain records of all customer identity related information for five years after account closure.
Fields
Apto's API provides you with the ability to retrieve a user's identity verification status, using the GET cardholder endpoint.
As of May 2023, we have released v2 of our Identity Verification service for all new customers, but will continue to offer v1 for our existing customers. Below, we have outlined the key differences between the possible values returned for each version of the Identity Service.
Identity Service v2
When querying a cardholder in the Core API, you'll see the response includes a identity_status field, which represents the current state of the cardholder identity verification process.
These are the identity possible values you'll see when creating/retrieving a cardholder:
| Identity_status | Description |
|---|---|
rejected | User has failed KYC following manual review by Cardholder Support. |
passed | User has passed KYC. |
evaluating | The identity evaluation is pending to receive a final result. |
error | A catch all for instances where we run into an issue initiating KYC. |
under_review | User has uploaded supporting documentation and is pending manual review by Cardholder Support. |
pending | User has failed KYC and they need to upload certain documents to be manually reviewed by Apto's Cardholder Support. |
Identity Service v1
Existing customers will continue to use v1 of our Identity Service, which provides a unique set of KYC values to retrieve a user's identity verification status:
| KYC fields | Description |
|---|---|
kyc_status | Represents the current state of a cardholder's identity verification process |
kyc_identity_reason | One or more aspects of a cardholder's identity have not passed KYC and may require more information. |
kyc_address_reason | One or more aspects of a cardholder's address have not passed KYC and may require more information. |
kyc_file_reason | When a cardholder uploads additional documents to our support team, this field provides potential reasons for why we may not be able to accept them. |
kyc_files_required | In many instances, our cardholder support team may reach out to the individual to request additional files to resolve KYC issues. |
Status
This is a list of KYC statuses that we provide:
kyc_status | Description |
|---|---|
null | – |
RESUBMIT_DETAILS | User has failed KYC and needs to review their information and resubmit. There is typically an email sent to the cardholder requesting that information Note: Some custodians are configured to allow users to review the information they submitted and try again following a KYC failure ( RESUBMIT_DETAILS), while others are configured to request documentation immediately following the initial KYC attempt (UPLOAD_FILE). Once the custodian's kyc_attempt_limit is reached, the user's kyc_status changes to UPLOAD_FILE. |
UPLOAD_FILE | User has failed KYC and they need to upload certain documents to be manually reviewed by Apto's Cardholder Support team. |
UNDER_REVIEW | User has uploaded supporting documentation and is pending manual review by Cardholder Support. |
PASSED | User has passed KYC |
REJECTED | User has failed KYC following manual review by Cardholder Support. |
TEMPORARY_ERROR | A catch all for instances where we run into an issue initiating KYC. |
Notes:
- Most KYC statuses are
PASSEDorREJECTEDdue to our automated KYC process
Failure States
The following tables list KYC failure states that may be returned in the response and its associated definitions when a cardholder does not pass KYC checks:
kyc_identity_reason | Description |
|---|---|
null | A null response indicates KYC was passed from an identity perspective. |
SSN_MISMATCH | Occurs when the SSN a user enters was found, but the information associated with that SSN does not match what the user submitted. |
SSN_INVALID | Occurs when the SSN a user enters is malformed, empty, or can't be processed. |
WATCHLIST_MATCH | Occurs when a user appears on a government watchlist prior to initiating KYC. |
IDENTITY_UPDATE | Occurs when a user who has already passed KYC makes a change to their identity information and and KYC needs to be rerun. |
DOB_MISMATCH | Occurs when the date of birth the user provided doesn't match the KYC records. |
kyc_address_reason | Description |
|---|---|
null | – |
ADDRESS_PO_BOX | Occurs when a user provides a PO Box for their address. |
ADDRESS_UPDATE | Occurs when a user who has already passed KYC makes a change to their address information and and KYC needs to be rerun. |
ADDRESS_PMB | Occurs when a user provides a private mailbox for their address. |
ADDRESS_INVALID | Occurs when a user provides an address that cannot be verified as a valid USPS address. |
kyc_file_reason | Description |
|---|---|
null | – |
| REQUIRES_ADDITIONAL_INFORMATION | The cardholder needs to upload more files to pass KYC |
| INSUFFICIENT_FILE | The file provided is not sufficient, additional details will be provided from our support team |
| BLURRY | File is blurry or the part of the document that is visualized does not contain sufficient information |
kyc_files_required | Description |
|---|---|
null | – |
GOVERNMENT_ID | we require a Government ID |
PROOF_OF_ADDRESS | we require additional documentation for proof of address |
BANK_STATEMENT | we require a bank statement |
PROOF_OF_SSN | we require Proof of SSN |
KYB
Overview
In corporate card programs, Apto is required to conduct a Know Your Business (KYB) process to verify information about the business being issued cards. The individual cardholders— employees who will ultimately use the cards—act on behalf of this KYB verification without having to submit their own KYC documentation for review.
We will define the KYB requirements of your card program during implementation.
Sanctions compliance screening
In addition to customer identity verification, Apto screens customers against watch lists (including OFAC) and sanctions lists at account opening and daily thereafter. Apto utilizes multiple verification providers to conduct the screening and leverages their automated list updates to ensure ongoing screening is always conducted against the most up-to-date lists.