Broker certification requirements

Background Checks

Documentation confirming background checks are conducted for personnel with access to sensitive data.

• Blank copy of your background check authorization form.
• Screenshot from your provider showing active account or recent checks, with PII redacted.

Password Policy

A documented password policy or enforcement settings. At minimum, passwords should meet a required length and complexity standard.

• Copy of password policy or screenshot of admin panel showing enforcement settings.

Workstation & Screen Security

A policy or technical setting requiring workstations to lock when unattended.

• Screenshot of auto-lock timeout setting enabled in device management or admin panel.

Off-Boarding Process

A process for immediately revoking system access when employees leave or change roles.

• Offboarding checklist or policy.

Remote Access

If personnel access company systems outside of the office, controls should be in place to secure that access.

• MFA.
• Endpoint management or MDM solution.
• VPN or IP-based restrictions.

Multi-Factor Authentication

MFA must be enabled on your email system.

• Screenshot of MFA setting enabled in your email admin panel.
• Screen recording of a login showing MFA prompt triggering and being completed.

Email Inbox Access

If merchant documents ever arrive in or get routed to an email inbox, at least one email safeguard is required.

• Submissions route directly to CRM through an automated workflow.
• Inbound email watermarking tool, Aquamark or equivalent.
• Forwarding restrictions, downloading disabled, or other DLP policies.

Multi-Factor Authentication

MFA must be enabled on your CRM, portal, or equivalent system.

• Screenshot of MFA setting enabled in your CRM admin panel.
• Screen recording of a login showing MFA prompt triggering and being completed.

Role-Based Access

Personnel should only be able to access accounts and information required for their role. Sensitive fields, such as SSN, should be restricted based on business necessity.

• Screenshot of your CRM's role list showing that separate roles exist.
• Screen recording logging in as two different roles showing information visible to one role and restricted for another.

Document Access Controls

If documents are accessible within your CRM, portal, or equivalent system, at least one document safeguard is required.

• View-only access, where documents cannot be downloaded.
• Document watermarking to deter sharing.

Storage Safeguards

If documents are stored in Google Drive, Dropbox, OneDrive, etc., at least one safeguard is required.

• View-only access, where documents cannot be downloaded.
• Document watermarking to deter sharing.

BPO Safeguards

If BPO teams, onshore or offshore, have access to submission packages, at least one safeguard is required.

• View-only access, where BPO personnel cannot download files.
• Document watermarking to deter sharing.

Continued listing requires resolution of any open items identified during review. Final review includes an evidence assessment, business registration verification, and limited public records checks focused specifically on lawsuits involving the misuse, unauthorized sharing, or fraudulent use of customer data. Members receive access to the verification portal and support throughout the process, including guidance as they gather evidence, review technical controls, and prepare for final review. Members may continue working toward certification with full program support included.