PCI & Security
Merchant Accounts & Gateways
PayFabric is a cloud-based payment processing solution for merchants and developers that makes it easy to accept and manage online payments in your application, website or ecommerce storefront. PCI validated and supported by multiple gateways, the PayFabric service provides an alternative to developing costly and complex infrastructure to safely process payments, as well as store and share transactional data across multiple platforms, channels and devices. Whether you’re just looking to start accepting payments quickly, or you’re searching for a more complete solution for storing cards, connecting applications and integrating with back office systems, PayFabric allows merchants and developers of any size and complexity to connect once, and grow infinitely.
PayFabric is used by entities of all size and complexity, from startups to fortune 500 companies and everything in between. As a developer tool, PayFabric supplies a RESTful API with only a few lines of code used to process a transaction and a universal token that securely connects payments to multiple gateways and processors. For businesses, PayFabric provides a complete solution for payment processing including secure credit card and ACH storage, integration across multiple platforms, websites, and payment applications - including ERP and CRM, plus optional merchant account and payment gateway services.
Anyone can sign up for a PayFabric account online 24/7 and begin using PayFabric after completing the required fields in the online set up wizard. The process is fast, intuitive and allows merchants to start processing online payments the same day.
Check out our pricing page for more details on our offerings.
Monday to Friday, 7am to 5pm Pacific Standard Time
Support Email: firstname.lastname@example.org
Phone: (909) 482-4701
Nodus Technologies, Inc.
2099 S. State College Blvd., Suite 250
Anaheim, CA 92806
PayFabric follows best practices with regards to service updates. Changes are first developed and tested within our internal development environment, published to a second test environment for application compatibility testing, then onto Sandbox.PayFabric.com and finally, www.PayFabric.com. Multiple layers of testing procedures greatly minimize the chances of downtime introduced by code changes.
If you have integrations with PayFabric, you might need to perform updates to take advantages of our newly supported features and functionalities.
We don’t anticipate this situation with 99.95% uptime, however, in the rare event this occurs, we first suggest checking your internet connection to make sure you have good connectivity. If the problem persists, please contact PayFabric support for troubleshooting assistance.
PayFabric is hosted by Amazon Web Services (AWS) and utilizes two availability zones from AWS, where within the 99.95% uptime provided from AWS, the redundancy and load balancing offered by the multiple availability zones, minimizes the chances for the PayFabric service to go down. If AWS goes down then PayFabric will be down until AWS comes back on line.
PayFabric is hosted by Amazon Web Services’ (AWS) datacenters, which have multiple power lines coming in from Nevada, Oregon and Northern California. In the event of a power outage caused by natural disaster, PayFabric will be online as soon as power is restored.
We strongly urge you to contact us immediately in the event of a serious incident or disruption on your side.
PayFabric works in conjunction with payment gateways and processors. It can be used from any country as long as a merchant is using payment gateway supported by PayFabric.
PayFabric is a payment processing engine that is used by a software application for internet-based payment processing. Unlike a POS terminal, PayFabric supports card-not-present scenarios. In the near future, we’ll be able to support card-present-transactions.
PayFabric supports the ability for merchants to accept credit cards, debit cards (excluding pin-based) and ACH (eChecks).
In the U.S., for Visa, MasterCard, and Discover transactions, the funds will appear in your bank within 2 business days. American Express transactions are typically 3-5 business days.
PayFabric will not hold your funds. Once settlement occurs, funds will be moved from customer’s bank directly into your merchant bank account.
Yes, PayFabric accepts international payment cards and multiple currencies as long as your selected payment gateways and processors support it.
Any card authorization, credit, ticket only, capture or settlement request, decline transaction, or other related transaction, completed or submitted under a Customer’s account to PayFabric.
PayFabric supplies a secure payment frame that can be seamlessly integrated into your application or website’s payment page to match your desired branding. After either you or your customer enters the required payment information, the transaction will be processed in real time and a confirmation can be used to confirm payment status. The payment can be integrated to your ERP and/or CRM, as well as other platforms and applications.
PayFabric supports all the transaction types supported by the registered payment gateway and processors.
PayFabric does not perform any tax calculations. It relies on integrated applications to pass in the calculated tax values along with other transaction details. Contact our support team for more information.
Yes. PayFabric offers smart field level handling and provides tools to help you qualify your transactions for Level II and Level III rates in order to help you reduce processing fees.
Yes, PayFabric provides the ability to enable specific forms of payment(s) from your dash board’s control panel.
Not at this time, but please check with us to see when it’s expected.
Not at this time, but please check with us to see when it’s expected.
PayFabric processes transactions based on the currency that was submitted from the application. It does not perform any conversion prior to submitting to the payment gateway.
PayFabric does not dictate the currency for settlement. This is specific to your merchant account setup.
PayFabric facilitates transaction processing through the selected payment gateway & processor. The business rules for recurring charges can be implemented at the application level using saved wallet entries from PayFabric. For additional assistance with selecting a recurring payment or subscription billing solution, check out Nodus ePay Advantage.
PayFabric supports eCheck or ACH payments through our supported gateways and select processors. (i.e.: USAePay, Authorize.NET, PayPal Payflow Pro, etc.)
PayPal is located in multiple data centers around the world and they have multiple redundancies. In the event PayPal goes down you can place your transactions on hold, and when the service comes back up you can proceed with your transactions. If this is a time critical purchase we highly recommend setting up an additional gateway with a different service.
The Payment Card Industry (PCI) Data Security Standards (DSS) are international technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect credit card data.
PayFabric is PCI DSS Level 1 Compliant. PayFabric is hosted on AWS (Amazon Web Services) which is also PCI DSS Level 1 Compliant. Please see our supported security documents and listings for additional details.
PCI DSS Certificate of Validation
PCI DSS Attestation of Compliance
ASV PCI Scan Attestation of Compliance
PayFabric’s PCI DSS listings for MasterCard
PayFabric’s PCI DSS listings for Visa
Acronym for Payment Application Data Security Standard, which define security requirements and assessment procedures for software vendors of payment applications. Use of a PA-DSS compliant application by itself does not make an entity PCI DSS compliant, since that application must be implemented into a PCI DSS compliant environment.
The PCI standards apply to all entities that store, process or transmit credit cards, including merchants, software developers and manufacturers of applications and devices used in those transactions.
In general, PCI Security Standards include:
· PCI Data Security Standard (PCI DSS)
· PIN Transaction Security Requirements (PTS)
· Payment Application Data Security Standards (PA‐DSS)
· PCI Point‐to‐Point Encryption Standard (P2PE)
For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers.
Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other services as well as hosting providers and other entities. If an entity provides a service that involves only the provision of public network access—such as a telecommunications company providing just the communication link—the entity would not be considered a service provider for that service (although they may be considered a service provider for other services).
In the context of PA-DSS (Payment Application – Data Security Standards), a software application that stores, processes, or transmits cardholder data as part of authorization or settlement, where the payment application is sold, distributed, or licensed to third parties.
A vulnerability scan is a computer program designed to assess a merchant or service provider’s systems for flaws or weaknesses which, if exploited, may result in an intentional or unintentional compromise of a system or its data. Vulnerability scans are used as part of validating PCI DSS compliance. PCI DSS Requirement 11.2 requires that external vulnerability scanning be performed quarterly by an approved scanning vendor (ASV) qualified by PCI SSC.
An Approved Scanning Vendor (ASV) is a data security firm using a scanning solution to determine whether or not the customer meets the PCI DSS external vulnerability scanning requirement 11.2. ASVs are qualified by the PCI Security Standards Council to perform external network and system scans as required by the PCI DSS. ASVs may submit compliance reports to the acquiring institution on behalf of a merchant or service provider, if agreed by the ASV and their customer.
The Self‐Assessment Questionnaire (SAQ) is a validation tool for merchants and service providers to report the results of their PCI DSS self‐assessment, if they are not required to submit a Report on Compliance (ROC). The SAQ includes a series of yes‐or‐no questions for each applicable PCI DSS requirement. If an answer is no, the organization may be required to state the future remediation date and associated actions. There are different SAQs available to meet different merchant environments. If you are not sure which SAQ would apply to you, contact your acquiring bank or payment card brand for assistance.
Compliance with data security standards can bring major benefits to businesses of all sizes, while failure to comply can have serious and long-term negative consequences. Details can be found on the PCI SSC website:
PayFabric can assist entities with simplifying their scope of PCI compliance by eliminating the processing and storage of sensitive payment data in local environments, however, its use by itself does not constitute PCI compliance. There are other requirements that must be continuously fulfilled within PCI DSS such as annual certification, periodic vulnerability scans, self-assessment questionnaires (SAQ), operational policies and procedures, etc.
The PCI DSS can be reviewed on the PCI Security Standards Council (PCI SSC) website:
While the PCI SSC sets the PCI Security Standards, each payment card brand has its own program for compliance, validation levels and enforcement. More information about compliance can be found online at these links:
Compliance with PCI DSS is a continual ongoing process, not a onetime thing. The PCI Security Standards Council does not manage compliance programs or impose any consequences for non-compliance. Individual payment brands, however, have their own compliance initiatives, including financial or operational consequences to certain business that are not compliant. Merchants who do not comply could face restrictions by the card brands and may be subjected to fines. The PCI Security Standards Council encourages all businesses that store payment account data to comply with the PCI DSS to help lower the brand and financial risks associated with account payment data compromises.
Merchant levels are determined by the merchant’s annual volume of transactions. Specific merchant levels can be defined using the table below:
Yes. The PCI standards apply to all entities that store, process or transmit credit cards.
Yes. Using a PCI validated, third-party company might simplify your business’ scope of PCI compliance and possibly reduce your risk, however it does not constitute PCI compliance for your business.
Generally, you are required to validate only once per year for all locations if they process under one Tax ID.
Payment cards such as credit, debit and prepaid, from any of the five card brands that participate in the PCI SSC, including Visa, MasterCard, American Express, Discover and JCB, are all included within the scope for PCI compliance.
Having SSL certificates do not achieve PCI compliance. These are installed onto web servers to initiate secure sessions with browsers. Their inclusion is meant to confirm a website’s operators are a legitimate entity and that a secure connection exists between the user and website. PCI compliance standards require more than a just secure connection, for example, the submission of a SAQ form or quarterly scan by approved vendor.
Yes. PayFabric was designed in part to help reduce payment card fraud and improve security. Fraud protection features include AVS, CVV and Zip Code Validation, and more.
According to PCI DSS 3.3, merchants should mask primary account number (PAN) when displayed (the first six and last four digits are the minimum number of digits to be displayed), such that only personnel with a legitimate business need can see the full PAN. This requirement does not supersede stricter requirements in place for displays of cardholder data – for example, legal or payment card brand requirements for point-of-sale (POS) receipts. The display of full PAN on items such as computer screens, payment card receipts, faxes, or paper reports can result in this data being obtained by unauthorized individuals and used fraudulently. Ensuring that full PAN is only displayed for those with a legitimate business need to see the full PAN minimizes the risk of unauthorized persons gaining access to PAN data. This requirement relates to protection of PAN displayed on screens, paper receipts, printouts, etc., and is not to be confused with Requirement 3.4 for protection of PAN when stored in files, databases, etc.
The risk level for home businesses is considered very high due to vulnerabilities generally attributed to insecure home networks. These environments often do not safeguard and continually monitor security threats the same as more established businesses. Cyber criminals will often attack systems they feel offer a path of least resistance.
Yes. There are state laws that require notification to affected parties. Please see the following link for additional details and state laws: http://www.privacyrights.org/
Merchants and service providers that have experienced a suspected or confirmed security breach must take immediate action to help prevent additional damage and adhere to Visa CISP requirements. Please see the following link for additional details and steps for compromised entities:
PayFabric is validated to meet PCI-DSS requirements when it comes to handling credit card data from storage or during transmission for processing needs. You can find a copy of our AOC on our About PCI page. In regards to the PCI scope, PayFabric can help reduce the risk exposure with card data and consequently reduce the effort to validate compliance. For a full scope analysis, it is still beneficial to contact a QSA as they’re best equipped to answer specific questions about your scope of compliance based on your business process.
PayFabric can be set up for a simple integration within a couple hours or less by a knowledgeable developer. Of course, projects which are more complex may require more time, but we’ve designed PayFabric to support a Rapid Application Development Model using a RESTful API that requires only a few lines of code to process a transaction.
PayFabric can work with almost any application, platform and/or website, including integrated payment processing solutions, ecommerce sites, online billing solutions, ERP, CRM, mobile apps, and more.
Once you create an account, you can process single transactions using the Virtual Terminal in your account’s control panel. If you are signed up with Nodus PayLink, you can also send payment links from your PayLink portal without developers. In order to integrate payment acceptance into your platforms, applications, or websites, any experienced developer can use our RESTful API with easy documentation and sample codes. The process is simple and straightforward.
Generally, PayFabric is happy to review and consider the scope of your requirements. If it makes sense for both of us, we will certainly consider providing development resources for your project. Otherwise, we will recommend you work with an integration consultant or contractor, and we will provide assistance and support as needed.
You maintain ownership of your data. If you are required to change service providers, we offer portability options that will assist you in migrating data safely and accurately.
At a minimum, cardholder data consists of the full PAN (primary account number). Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name and expiration date.
No. Users have the option to save credit cards (or eCheck) for later use. If this option is not enabled, the wallet entry will not be saved.
There are no limits against the number of payment cards you can store in PayFabric. You can always request to go to a higher storage plan by simply contacting email@example.com.
We are certain you’ll love the service from PayFabric, but if you ever need to switch, we do offer portability options for existing wallet data. We will provide a recommended data transfer approach to ensure that any data transfer is both secure and in compliance with the PCI Data Security Standards.
PayFabric is hosted by Amazon AWS located in US. Currently, we do not provide data storage outside of United States. If you need further information regarding data storage outside of US, please contact us at firstname.lastname@example.org.
A payment gateway is an ecommerce service provider that authorizes electronic payments and processes them with an entity’s merchant account. Payment gateways facilitate the transfer of information between a payment portal (such as a website, mobile phone or interactive voice response service) and the Front End Processor or acquiring bank. Payment gateways protect credit card details by encrypting sensitive information, such as credit card numbers, to ensure that information is passed securely between the customer and the merchant and also between merchant and the payment processor. It is not uncommon for a merchant account and payment gateway to be set up and managed through a single provider.
PayFabric offers services that enables you to connect with many different payment gateways. We are not a payment gateway ourselves.
PayFabric supports a growing list of payment gateways including PayPal Payflow Pro, First Data, WorldPay, CyberSource, USAePay, Chase Paymentech, Authorize.Net, Payfuse, and Moneris. If you would like to connect to a gateway that is not currently supported please contact our support team.
Yes, we are continuously working to add more gateways into our supported list. We prioritize our support plan based on the popular demands from customers, business partners, and market needs. If there is a gateway you would like to add into our list, please send your request to email@example.com .
As a value-added service to PayFabric, we can also perform a statement analysis and assist with setting up merchant account services. We are often able to save customers money on payment processing rates and fees. Contact us for more information or to get started.
Certainly. However, we encourage you to take advantage of a free rate comparison as we are often able to save our customers money on payment processing rates and fees. Also, by utilizing our merchant account and gateway services, you can rely on a single point of contact to assist with inquiries, technical support and troubleshooting – which saves time and adds convenience.
Yes. PayFabric acts as the hub that connects to all supported payment gateways. A payment method token that is generated on PayFabric, and links to a credit card or eCheck account, is not tied to any single gateway. Once you have that token generated, you can run transactions against the gateway account profile setup on your PayFabric account. Hence, switching to any gateways will not impact transaction processing on PayFabric.
If the problem is on our end, we will troubleshoot and resolve as soon as possible. If the problem is not with PayFabric services, we recommend contacting your gateway service provider. If you are using our preferred Merchant Account and Gateway services, simply contact us and we’ll take care of the rest.