❗️

This feature requires Rainforest approval

Overview

Most platforms that integrate into Rainforest use the Payment Component to capture sensitive card and bank account numbers. This approach essentially eliminates the platform’s PCI scope regarding cardholder data environments (since platforms never have access to any card details), while still allowing the platform to customize the look-and-feel of the card collection page. When the Payment Component is correctly implemented, Rainforest assumes liability for card breaches.

Some platforms desire to collect the card and bank account numbers themselves and send the full card numbers to Rainforest via server-to-server API.

Given the increased exposure when platforms handle card and bank account numbers, this feature requires Rainforest executive approval and is subject to the following requirements.

Requirements

1. Platform must be PCI Level 1 certified (which includes an audit by a QSA) and willing to share PCI AOC no less than annually.
2. Platform must have a cyber-liability insurance policy acceptable to Rainforest (typically at least $1M of coverage, depending on payment volume) and must add Rainforest as a named insured.
3. Rainforest will review (and may periodically request updated) platform financial statements (to assess platform’s ability to pay for the costs of a data breach).
4. Platform must sign a contract amendment in which the platform assumes full responsibility (instead of Rainforest) for the cost of any payment data breaches or payment networks fines.
5. Upon request, platform must submit to a Rainforest technical diligence review.
6. Rainforest will have sole discretion over approval.