Ensuring Trust in Connectivity: Atomic’s SOC 2 Type 2 and PCI Attestations

At Atomic, we’re championing upward financial mobility for all. An important part of this mission is enhancing consumer visibility and control over recurring payments. Most recurring payments are processed via credit or debit cards, therefore we developed our PayLink solution with Payment Card Industry Data Security Standard (PCI) compliance in mind. PayLink provides the connectivity so consumers can update, cancel, or modify recurring payments. We design our services to help protect consumer data, and we recently achieved a PCI attestation for PayLink in addition to the Service Organization Control (SOC) 2 Type 2 attestation we’ve obtained for several years for all Atomic services.

SOC 2 Type 2

Atomic received a new SOC 2 Type 2 report in April 2024 providing detailed information and assurance about Atomic’s controls relevant to security, availability, processing integrity, confidentiality, or privacy of the systems we use to process users’ data and the confidentiality and privacy of the data processed by these systems. The Type 2 report looks at controls over the 12-month period from April 2023 to March 2024 to determine whether they’re working as intended. During the SOC audit, a third party team examined Atomic’s security, availability, processing integrity, confidentiality, and privacy and in April issued a report with no exceptions to the standards.

PCI

Atomic is pleased to announce that we attained an Attestation of Compliance with all applicable PCI requirements in May 2024, with an acknowledgement from a third-party Qualified Security Assessor who performed extensive testing procedures. While SOC 2 Type 2 applies generally to service organizations that process data on behalf of their customers, PCI validation focuses specifically on cardholder data and the security measures that help protect it. PayLink enables the updating of credit and debit card payments, and PCI validation is essential. Atomic’s Level 1 Service Provider tokenizes the PAN and CVV and encrypts them while they are temporarily stored until deleted in 24 hours. Atomic never receives the full PAN or the CVV. All Atomic services benefit from Atomic’s PCI compliance. PayLink operates on the same platform as our other services and many of the PCI requirements have been implemented across the platform for all Atomic services.

Conclusion

SOC and PCI attestations are a critical part of Atomic’s efforts to partner with financial institutions and fintechs to bring better experiences to end users. As we develop more products on the PayLink platform, maintaining secure data practices is essential to supporting our clients’ compliance needs and protecting sensitive consumer data.

Atomic customers can reach out to their account representative for the reports. Prospective customers can fill out this form for the reports.