Skip to main content

PCI compliance

The Payment Card Industry Data Security Standard (“PCI DSS”) is an information security standard for organizations that handle branded payment cards. Apto is PCI DSS Level 1 certified. Organizations wanting to store, transmit, or process sensitive card data, such as the cardholder’s primary account number (“PAN”) and personal identification number (“PIN”), must comply with PCI DSS data security requirements. The PCI DSS certification process is time consuming and expensive.

To accommodate companies that are not PCI certified, we offer a PCI SDK so cardholders can view their card details and change their PIN seamlessly from your application. The PCI SDK protects sensitive card data and displays it to the cardholder without the data ever passing through your servers.

If you are PCI certified, we can configure your Production API keys to have the API expose PCI-related data to you and you can store, transmit, and process the data on your servers. The API returns this data in the card object. These fields are not present in the card object payload if you are not PCI certified. Please contact a Program specialist to learn more.

The USA PATRIOT Act requires various financial institutions to implement a Customer Identification Program (CIP) to verify the identities of persons with whom it does business. As an extension of our issuing bank, Apto, and therefore your card program, are required to abide by these verification regulations.

KYC

Overview

Apto can handle all aspects of your program’s KYC verification.

You’ll need to collect the following information in your application from card customers:

  • Cardholder phone number
  • Cardholder full name
  • Cardholder physical address
  • Cardholder date of birth
  • Government tax identification number

and send it to us when creating a user either through the Mobile API or Core API. We process this information in real time to verify the cardholder’s identity. In other words, if there are no issues then cardholders get approved instantly. If we are unable to verify the customer’s eligibility from the information provided, we may ask for supporting documentation, which includes (but is not limited to) copies of:

  • Social Security card
  • Government issued ID
  • Proof of address (such as a utility bill)

Apto requests this information by emailing the prospective cardholder on your behalf. We send a secure site for them to upload additional documents.

Changes on cardholder records

If a user changes email address, phone number, or mailing address, you are not required to re|run KYC. Instead, the user should contact Apto support and ask us to change the relevant details in our database. There is an SOP around this with various verification steps—give us your DOB, address, last 4 of the card, last 4 of the SSN, and so on.

If a user changes their email on your side, customers of Blue or Orange Programs can send a POST request to the Core API /cardholders endpoint to update the Apto database.

If you have already completed KYC on your users, or if you are intending to do so, Apto can work with our issuing bank to honor your Customer Identification Program through one of our Blue or Orange Programs.

In order to comply with CIP standards and record retention laws, Apto will maintain records of all customer identity related information for five years after account closure.

Fields

When querying a cardholder in the Core API, you'll see the response includes a kyc_status field, which represents the current state of the cardholder identity verification process.

These are the KYC related fields you'll see when creating/retrieving a cardholder:

KYC fieldsDescription
kyc_statusRepresents the current state of a cardholder's identity verification process
kyc_identity_reasonOne or more aspects of a cardholder's identity have not passed KYC and may require more information.
kyc_address_reasonOne or more aspects of a cardholder's address have not passed KYC and may require more information.
kyc_file_reasonWhen a cardholder uploads additional documents to our support team, this field provides potential reasons for why we may not be able to accept them.
kyc_files_requiredIn many instances, our cardholder support team may reach out to the individual to request additional files to resolve KYC issues.

Status

This is a list of KYC statuses that we provide:

kyc_statusDescription
null
RESUBMIT_DETAILSUser has failed KYC and needs to review their information and resubmit. There is typically an email sent to the cardholder requesting that information

Note: Some custodians are configured to allow users to review the information they submitted and try again following a KYC failure (RESUBMIT_DETAILS), while others are configured to request documentation immediately following the initial KYC attempt (UPLOAD_FILE). Once the custodian's kyc_attempt_limit is reached, the user's kyc_status changes to UPLOAD_FILE.
UPLOAD_FILEUser has failed KYC and they need to upload certain documents to be manually reviewed by Apto's Cardholder Support team.
UNDER_REVIEWUser has uploaded supporting documentation and is pending manual review by Cardholder Support.
PASSEDUser has passed KYC
REJECTEDUser has failed KYC following manual review by Cardholder Support.
TEMPORARY_ERRORA catch all for instances where we run into an issue initiating KYC.

Notes:

  • Most KYC statuses are PASSED or REJECTED due to our automated KYC process

Failure States

The following tables list KYC failure states that may be returned in the response and its associated definitions when a cardholder does not pass KYC checks:

kyc_identity_reasonDescription
nullA null response indicates KYC was passed from an identity perspective.
SSN_MISMATCHOccurs when the SSN a user enters was found, but the information associated with that SSN does not match what the user submitted.
SSN_INVALIDOccurs when the SSN a user enters is malformed, empty, or can't be processed.
WATCHLIST_MATCHOccurs when a user appears on a government watchlist prior to initiating KYC.
IDENTITY_UPDATEOccurs when a user who has already passed KYC makes a change to their identity information and and KYC needs to be rerun.
DOB_MISMATCHOccurs when the date of birth the user provided doesn't match the KYC records.
kyc_address_reasonDescription
null
ADDRESS_PO_BOXOccurs when a user provides a PO Box for their address.
ADDRESS_UPDATEOccurs when a user who has already passed KYC makes a change to their address information and and KYC needs to be rerun.
ADDRESS_PMBOccurs when a user provides a private mailbox for their address.
ADDRESS_INVALIDOccurs when a user provides an address that cannot be verified as a valid USPS address.
kyc_file_reasonDescription
null
REQUIRES_ADDITIONAL_INFORMATIONThe cardholder needs to upload more files to pass KYC
INSUFFICIENT_FILEThe file provided is not sufficient, additional details will be provided from our support team
BLURRYFile is blurry or the part of the document that is visualized does not contain sufficient information
kyc_files_requiredDescription
null
GOVERNMENT_IDwe require a Government ID
PROOF_OF_ADDRESSwe require additional documentation for proof of address
BANK_STATEMENTwe require a bank statement
PROOF_OF_SSNwe require Proof of SSN

KYB

Overview

In corporate card programs, Apto is required to conduct a Know Your Business (KYB) process to verify information about the business being issued cards. The individual cardholders— employees who will ultimately use the cards—act on behalf of this KYB verification without having to submit their own KYC documentation for review.

We will define the KYB requirements of your card program during implementation.

Sanctions compliance screening

In addition to customer identity verification, Apto screens customers against watch lists (including OFAC) and sanctions lists at account opening and daily thereafter. Apto utilizes multiple verification providers to conduct the screening and leverages their automated list updates to ensure ongoing screening is always conducted against the most up-to-date lists.