Funder certification requirements

Achievable for funders of all sizes. Lightweight and practical.

Requirements do not need to be met before joining. Members complete verification after enrollment, with the program's full support.

Members can earn certification in just a few days. Applicants have up to 90 days from joining to submit evidence, with extensions available.

Pathways

Example pathways provided. Equivalent controls accepted.

Online Portal

Upload screenshots, recordings, or documents through the portal.

Outcome

Review Summary provided after assessment.

Verification Requirements

Five areas of review.

A lightweight baseline to deter external data sharing. Most evidence is already in place at modern operations and only needs to be documented.

Requirement 01

Personnel Controls

Organizational policies to limit risk at the human layer.

Background Checks

Documentation confirming background checks are conducted for personnel with access to sensitive data.

Example pathways
  • Blank copy of your background check authorization form.
  • Screenshot from your provider showing active account or recent checks, with PII redacted.

Password Policy

A documented password policy or enforcement settings. At minimum, passwords should meet a required length and complexity standard.

Example pathways
  • Copy of password policy or screenshot of admin panel showing enforcement settings.

Workstation & Screen Security

A policy or technical setting requiring workstations to lock when unattended.

Example pathways
  • Screenshot of auto-lock timeout setting enabled in device management or admin panel.
Recommended: Organizations are encouraged to maintain a policy prohibiting the use of cell phone cameras at workstations.

Off-Boarding Process

A process for immediately revoking system access when employees leave or change roles.

Example pathways
  • Offboarding checklist or policy.

Remote Access

If personnel access company systems outside of the office, controls should be in place to secure that access.

Example pathways
  • MFA.
  • Endpoint management or MDM solution.
  • VPN or IP-based restrictions.
Requirement 02

Email Security

If staff have access to emails containing merchant documents, safeguards must be in place to reduce opportunities of misuse.

Multi-Factor Authentication

MFA must be enabled on email accounts used to receive or handle submissions.

Example pathways
  • Screenshot of MFA setting enabled in your email admin panel.
  • Screen recording of a login showing MFA prompt triggering and being completed.

Submissions Email Inbox

If submissions are accepted via email, at least one safeguard is required to reduce opportunities for unauthorized external sharing.

Example pathways
  • If email submissions are not accepted, provide documented ISO guidelines confirming email is not an accepted intake method.
  • Submissions route directly to CRM through an automated workflow.
  • Inbound email watermarking tool, Aquamark or equivalent.
  • Forwarding restrictions, downloading disabled, or other DLP policies.
Requirement 03

CRMs or Equivalent Systems

System-level controls to limit the ability to extract data and documents.

Multi-Factor Authentication

MFA must be enabled on CRM, portal, or equivalent system accounts.

Example pathways
  • Screenshot of MFA setting enabled in your CRM admin panel.
  • Screen recording of a login showing MFA prompt triggering and being completed.

Role-Based Access

Personnel should only be able to access accounts and information required for their role. Sensitive fields, such as SSN, should be restricted based on business necessity.

Example pathways
  • Screenshot of your CRM's role list showing that separate roles exist.
  • Screen recording logging in as two different roles showing information visible to one role and restricted for another.

Document Access Controls

If documents are accessible within your CRM, portal, or equivalent system, at least one document safeguard is required.

Example pathways
  • View-only access, where documents cannot be downloaded.
  • Document watermarking to deter sharing.
Requirement 04

Document Storage

Controls on secondary storage locations outside your main systems.

Storage Safeguards

If documents are stored in Google Drive, Dropbox, OneDrive, etc., at least one safeguard is required.

Example pathways
  • View-only access, where documents cannot be downloaded.
  • Document watermarking to deter sharing.
Requirement 05

Outsourcing

Safeguards for third-party access to merchant documents.

BPO Safeguards

If BPO teams, onshore or offshore, have access to submission packages, at least one safeguard is required.

Example pathways
  • View-only access, where BPO personnel cannot download files.
  • Document watermarking to deter sharing.
Program Notice

Final Review

Evidence assessment, public records review, and continued listing.

Continued listing requires resolution of any open items identified during review. Final review includes an evidence assessment, business registration verification, and limited public records checks focused specifically on lawsuits involving the misuse, unauthorized sharing, or fraudulent use of customer data. Members receive access to the verification portal and support throughout the process, including guidance as they gather evidence, review technical controls, and prepare for final review. Members may continue working toward certification with full program support included.