Skip to main content

PCI compliance

The Payment Card Industry Data Security Standard (“PCI DSS”) is an information security standard for organizations that handle branded payment cards. Apto is PCI DSS Level 1 certified. Organizations wanting to store, transmit, or process sensitive card data, such as the cardholder’s primary account number (“PAN”) and personal identification number (“PIN”), must comply with PCI DSS data security requirements. The PCI DSS certification process is time consuming and expensive.

To accommodate companies that are not PCI certified, we offer a PCI SDK so cardholders can view their card details and change their PIN seamlessly from your application. The PCI SDK protects sensitive card data and displays it to the cardholder without the data ever passing through your servers.

If you are PCI certified, we can configure your Production API keys to have the API expose PCI-related data to you and you can store, transmit, and process the data on your servers. The API returns this data in the card object. These fields are not present in the card object payload if you are not PCI certified. Please contact Apto sales to learn more.

Identity verification#

The USA PATRIOT Act requires various financial institutions to implement a Customer Identification Program (CIP) to verify the identities of persons with whom it does business. As an extension of our issuing bank, Apto, and therefore your card program, are required to abide by these verification regulations.

Consumer verification (KYC)#

In the Instant Issuance program, Apto will handle all aspects of your program’s KYC verification.

You’ll use our mobile SDK to collect the following information from card customers:

  • Cardholder phone number
  • Cardholder full name
  • Cardholder physical address
  • Cardholder date of birth
  • Government tax identification number

We process this information in real time to verify the cardholder’s identity. In other words, if there are no issues then cardholders get approved instantly. If we are unable to verify the customer’s eligibility from the information provided, we may ask for supporting documentation, which includes (but is not limited to) copies of:

  • Social Security card
  • Government issued ID
  • Proof of address, such as a utility bill; applicants must submit a residential address

Apto requests this information by emailing the prospective cardholder on your behalf. We send a secure site for them to upload additional documents.

Each Cardholder object includes a kyc_status, which represents the current state of their identity verification process. The KYC keys and their possible values are:

KYC keyPossible values

If a user changes email address, phone number, or mailing address, you are not required to re-run KYC. Instead, the user should contact Apto support and ask us to change the relevant details in our database. There is an SOP around this with various verification steps—give us your DOB, address, last 4 of the card, last 4 of the SSN, and so on.

If a user changes their email on your side, Enterprise customers can send a POST request to the Core API /cardholders endpoint to update the Apto database.

If you have already completed KYC on your users, or if you are intending to do so, Apto can work with our issuing bank to honor your Customer Identification Program through an Enterprise card program.

In order to comply with CIP standards and record retention laws, Apto will maintain records of all customer identity related information for five years after account closure.

Business verification (KYB)#

In corporate card programs, Apto is required to conduct a Know Your Business (KYB) process to verify information about the business being issued cards. The individual cardholders— employees who will ultimately use the cards—act on behalf of this KYB verification without having to submit their own KYC documentation for review.

We will define the KYB requirements of your card program during implementation.

Sanctions compliance screening#

In addition to customer identity verification, Apto screens customers against watch lists (including OFAC) and sanctions lists at account opening and daily thereafter. Apto utilizes multiple verification providers to conduct the screening and leverages their automated list updates to ensure ongoing screening is always conducted against the most up-to-date lists.