Payment processor breaches cost merchants thousands in fines, chargebacks, and reputation damage—yet many still skip the security audit. Choosing a payment processor without verifying its security framework is like hiring a security guard who won't show credentials. Here's how to cut through vendor claims and actually evaluate whether a processor can protect your customer data.
Start with PCI DSS Compliance
PCI DSS (Payment Card Industry Data Security Standard) is the baseline. Every payment processor handling card data must comply with at least Level 1 (the strictest tier for high-volume processors).
Ask your potential processor directly: What PCI DSS level are you certified at? Levels 2–4 indicate lower transaction volumes; Level 1 means they process over 6 million cards annually. Request a copy of their Attestation of Compliance (AOC) or ask for a SAC (Service Organization Control) 2 Type II report. Type II reports are stronger because they audit controls over time, not just a single moment.
Don't accept vague answers like "we're compliant." Compliance is verifiable and dated. If a processor can't produce documentation, that's a major red flag.
Review SOC 2 Type II Reports
SOC 2 audits evaluate security, availability, processing integrity, confidentiality, and privacy. A Type II report means an independent auditor tested controls for at least 6 months.
When reviewing the report:
- Check the audit period—ideally, it's recent (within the last 12 months)
- Look for "exceptions" or "deferred" items in the auditor's findings
- Verify the scope covers data encryption, access controls, and incident response
- Note the auditor's firm (big four accounting firms carry more weight)
Processors often charge $500–$2,000 annually for SOC 2 Type II audits. If they won't share the report due to "confidentiality," they're either not compliant or hiding something. Request an NDA if needed.
Check for Tokenization & Encryption
Your processor should not store raw card data on their systems. Tokenization replaces card numbers with unique identifiers, reducing breach impact. Encryption secures data both in transit (TLS 1.2 or higher) and at rest.
Ask specifically:
- Do you tokenize card data immediately upon receipt?
- What encryption standard do you use (AES-256 is the current standard)?
- Are payment tokens unique per customer or per transaction?
If they say "we encrypt everything but store the keys on the same server," encryption is almost worthless. Keys must be stored separately, ideally in a hardware security module (HSM).
Evaluate Breach Notification & Incident Response
Even secure processors get targeted. What matters is how they respond.
Request their incident response plan documentation. Key elements include:
- Written procedures for detecting unauthorized access
- Customer notification timeline (PCI DSS requires 30 days maximum)
- Forensic investigation process
- Regular security awareness training for staff
- Backup and disaster recovery testing (at least annually)
Ask for references from existing clients who've experienced a breach. Their handling of a past incident reveals more than any marketing material.
Verify Third-Party Audits & Certifications
Beyond PCI DSS and SOC 2, look for:
- ISO 27001 – Information security management certification
- HIPAA compliance – If you process healthcare payments
- Penetration testing – Annual third-party testing of their systems (not self-testing)
- Bug bounty programs – Indicate they welcome external security researchers
Ask when their most recent penetration test occurred and request a summary (not the full report—that stays confidential). Reputable processors test at least annually.
Compare Vendors Systematically
Create a checklist:
| Security Standard | Required? | Processor A | Processor B | |---|---|---|---| | PCI DSS Level 1 | Yes | ✓ | ✓ | | SOC 2 Type II (recent) | Yes | ✓ | ✗ | | Tokenization | Yes | ✓ | ✓ | | Annual penetration test | Yes | ✓ | ✓ | | ISO 27001 | Nice-to-have | ✓ | ✗ |
Weight factors by importance to your business. Mercoly helps you compare and find trusted payment processing providers that meet your security criteria in one place, eliminating the back-and-forth.
Frequently Asked Questions
Q: What if a processor says they're PCI DSS compliant but won't share their AOC? Request it under NDA if privacy is their concern, but if they refuse entirely, move to another processor. Legitimate providers always have audit documentation available.
Q: Does a processor need SOC 2 Type II if they have PCI DSS Level 1? PCI DSS covers card security; SOC 2 covers broader operational and security controls. Type II is ideal but not mandatory—however, it significantly reduces your risk.
Q: How often should I re-audit my processor's security? Review their certifications annually and request updated reports every 1–2 years, especially if they've had infrastructure changes or added new services.
Check your processor's most recent audit reports today—don't wait until a breach forces the issue.