Authorize.net Data Security Compliance

Authorize.net is committed to safeguarding customer information and combating fraud. We operate with a mission to provide the most secure and reliable payment solutions for you and your customers.

To accomplish this, Authorize.net dedicates significant resources toward a strong infrastructure, and adheres to both strict internal security policies and industry security initiatives.

With Authorize.net, your customers can be confident their data is secure. We utilize industry-leading technologies and protocols, and we are compliant with a number of government and industry security initiatives.

 
Payment Card Industry Data Security 

The Payment Card Industry Data Security Standard (PCI DSS) is a set of comprehensive requirements developed by the major card brands to facilitate the adoption of consistent data security measures. Each year we renew our PCI DSS compliance.

For more information, please see the below related support articles:

• Is Authorize.Net PCI DSS compliant?
• What Is PCI Compliance, and How Do I Find out If I Am Compliant?

 
Sarbanes-Oxley Act

Sarbanes-Oxley, or SOX, is a set of federally mandated accounting standards for all U.S. public company boards, management, and public accounting firms. Authorize.net is validated annually by external auditors for the current, relevant portions of the Sarbanes-Oxley Act.

SSAE-18 (formerly known as SAS70)

Statement on Standards for Attestation Engagements (SSAE) No. 18, commonly known as SSAE-18, defines the professional standards used to assess the internal controls for organizations that provide outsourcing services that impact the control environment of their customers. Authorize.Net is validated annually by external auditors for SSAE-18.

SSAE-18 can also be referred to as SOC 1 or Service Organization Controls (SOC) 1 report.

Health Insurance Portability and Accountability Act (HIPAA)

Authorize.net does not handle HIPAA information in its provision of its services.  We don’t use or collect ancillary information about the health transaction that’s being processing nor use it for fraud analysis.  Nonetheless, even if we did handle HIPAA info, Section 1179 of HIPAA exempts certain activities from the HIPAA rules, to the extent that these activities constitute authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments for health care.  Authorize.net services squarely fall within these functions specifically identified by the US Dept. of Health and Human Services as exempt.

Additional Legal Compliance

Authorize.net validates security measures against applicable sections of numerous federal and state laws–HIPAA, GLBA, California Senate Bill 1386 (SB1386), and many others. Our industry partners also perform regular audits.