The Payment Card Industry Data Security Standard (“PCI DSS”) is an information security standard for organizations that handle branded payment cards. Apto is PCI DSS Level 1 certified. Organizations wanting to store, transmit, or process sensitive card data, such as the cardholder’s primary account number (“PAN”) and personal identification number (“PIN”), must comply with PCI DSS data security requirements. The PCI DSS certification process is time consuming and expensive.
To accommodate companies that are not PCI certified, we offer a PCI SDK so cardholders can view their card details and change their PIN seamlessly from your application. The PCI SDK protects sensitive card data and displays it to the cardholder without the data ever passing through your servers.
If you are PCI certified, we can configure your Production API keys to have the API expose PCI-related data to you and you can store, transmit, and process the data on your servers. The API returns this data in the card object. These fields are not present in the card object payload if you are not PCI certified. Please contact a Program specialist to learn more.
The USA PATRIOT Act requires various financial institutions to implement a Customer Identification Program (CIP) to verify the identities of persons with whom it does business. As an extension of our issuing bank, Apto, and therefore your card program, are required to abide by these verification regulations.
Apto can handle all aspects of your program’s KYC verification.
You’ll need to collect the following information in your application from card customers:
- Cardholder phone number
- Cardholder full name
- Cardholder physical address
- Cardholder date of birth
- Government tax identification number
and send it to us when creating a user either through the Mobile API or Core API. We process this information in real time to verify the cardholder’s identity. In other words, if there are no issues then cardholders get approved instantly. If we are unable to verify the customer’s eligibility from the information provided, we may ask for supporting documentation, which includes (but is not limited to) copies of:
- Social Security card
- Government issued ID
- Proof of address (such as a utility bill)
Apto requests this information by emailing the prospective cardholder on your behalf. We send a secure site for them to upload additional documents.
Changes on cardholder records
If a user changes email address, phone number, or mailing address, you are not required to re|run KYC. Instead, the user should contact Apto support and ask us to change the relevant details in our database. There is an SOP around this with various verification steps—give us your DOB, address, last 4 of the card, last 4 of the SSN, and so on.
If a user changes their email on your side, customers of Blue or Orange Programs can send a
POST request to the Core API
/cardholders endpoint to update the Apto database.
If you have already completed KYC on your users, or if you are intending to do so, Apto can work with our issuing bank to honor your Customer Identification Program through one of our Blue or Orange Programs.
In order to comply with CIP standards and record retention laws, Apto will maintain records of all customer identity related information for five years after account closure.
When querying a cardholder in the Core API, you'll see the response includes a
kyc_status field, which represents the current state of the cardholder identity verification process.
These are the KYC related fields you'll see when creating/retrieving a cardholder:
|Represents the current state of a cardholder's identity verification process|
|One or more aspects of a cardholder's identity have not passed KYC and may require more information.|
|One or more aspects of a cardholder's address have not passed KYC and may require more information.|
|When a cardholder uploads additional documents to our support team, this field provides potential reasons for why we may not be able to accept them.|
|In many instances, our cardholder support team may reach out to the individual to request additional files to resolve KYC issues.|
This is a list of KYC statuses that we provide:
|User has failed KYC and needs to review their information and resubmit. There is typically an email sent to the cardholder requesting that information|
Note: Some custodians are configured to allow users to review the information they submitted and try again following a KYC failure (
|User has failed KYC and they need to upload certain documents to be manually reviewed by Apto's Cardholder Support team.|
|User has uploaded supporting documentation and is pending manual review by Cardholder Support.|
|User has passed KYC|
|User has failed KYC following manual review by Cardholder Support.|
|A catch all for instances where we run into an issue initiating KYC.|
- Most KYC statuses are
REJECTEDdue to our automated KYC process
The following tables list KYC failure states that may be returned in the response and its associated definitions when a cardholder does not pass KYC checks:
|A null response indicates KYC was passed from an identity perspective.|
|Occurs when the SSN a user enters was found, but the information associated with that SSN does not match what the user submitted.|
|Occurs when the SSN a user enters is malformed, empty, or can't be processed.|
|Occurs when a user appears on a government watchlist prior to initiating KYC.|
|Occurs when a user who has already passed KYC makes a change to their identity information and and KYC needs to be rerun.|
|Occurs when the date of birth the user provided doesn't match the KYC records.|
|Occurs when a user provides a PO Box for their address.|
|Occurs when a user who has already passed KYC makes a change to their address information and and KYC needs to be rerun.|
|Occurs when a user provides a private mailbox for their address.|
|Occurs when a user provides an address that cannot be verified as a valid USPS address.|
|REQUIRES_ADDITIONAL_INFORMATION||The cardholder needs to upload more files to pass KYC|
|INSUFFICIENT_FILE||The file provided is not sufficient, additional details will be provided from our support team|
|BLURRY||File is blurry or the part of the document that is visualized does not contain sufficient information|
|we require a Government ID|
|we require additional documentation for proof of address|
|we require a bank statement|
|we require Proof of SSN|
In corporate card programs, Apto is required to conduct a Know Your Business (KYB) process to verify information about the business being issued cards. The individual cardholders— employees who will ultimately use the cards—act on behalf of this KYB verification without having to submit their own KYC documentation for review.
We will define the KYB requirements of your card program during implementation.
Sanctions compliance screening
In addition to customer identity verification, Apto screens customers against watch lists (including OFAC) and sanctions lists at account opening and daily thereafter. Apto utilizes multiple verification providers to conduct the screening and leverages their automated list updates to ensure ongoing screening is always conducted against the most up-to-date lists.