When you are in the payments industry, one thing is absolutely crucial: data security. Banking information, personal data, and more are being transmitted through the systems your ISO uses every day, and ensuring that the data is secure and protected is of extreme importance. 

The importance of data security is even greater when using external resources, like IRIS CRM, for customer support, sales pipeline management, and keeping track of residuals. IRIS CRM is an end-to-end solution for ISOs to manage their entire payments business from a single platform. IRIS CRM has a variety of integrations with other software providers to enhance the user experience, and can access different types of user data to make life easier for ISOs.

To give IRIS CRM users confidence in the data security and protection that we have put in place, we have outlined three important ways that IRIS CRM has gone above and beyond to achieve the highest standards for data compliance.


IRIS CRM: PCI Level 1 Service Provider

The Payment Card Industry Data Security Standard, or PCI DSS, is the name of a specific set of requirements designed to ensure that any companies that process, store, or transmit credit card data are maintaining a secure environment.

The PCI Security Standards Council (SSC) is the body that provides the standards of PCI DSS, and the supporting materials that organizations need to understand what PCI compliance is, and how they can become compliant. There are 12 specific requirements for PCI DSS Compliance, and organizations must meet or exceed all 12 requirements to become and remain PCI compliant.

IRIS CRM is a PCI Level 1 Service Provider, meaning service providers that store, process, or transmit more than 300,000 credit card transactions annually.

In addition, Level 1 Service Providers must have validated the following requirements:

  • Annual Report on Compliance by a Qualified Security Assessor
  • Quarterly network scan by an Approved Scanning Vendor
  • Penetration Test
  • Internal Scan
  • Attestation of Compliance Form

In short, this means that IRIS CRM has passed the stringent requirements needed for PCI compliance as a Level 1 Service Provider. With this level of PCI compliance, IRIS CRM has proven to be a secure service provider based on the highest standards set within the payments industry. 

IRIS CRM users do not need to worry about their data being stolen, or stored in a non-secure environment. PCI Level 1 Service Provider status means that IRIS CRM has proven to the fullest extent possible that we protect and value important client data. 

PCI Level 1 Service Provider status also allows IRIS CRM to be listed on Visa’s Global Registry of Approved Service Providers.

IRIS CRM is also listed on the Mastercard SDP Complaint Registered Service Provider List, which is only available once Mastercard has received the Attestation of Compliance from the PCI SSC approved Qualified Security Assessor (QSA). This document validates that IRIS CRM is fully PCI compliant. 



HIPAA, which stands for the Health Insurance Portability and Accountability Act, is a familiar acronym for many these days. First passed by Congress in 1996, HIPAA set forth requirements related to healthcare coverage, fraud and abuse, and data protection for businesses throughout the United States.

According to the DHCS website, HIPAA does the following:

  • Provides the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs
  • Reduces healthcare fraud and abuse
  • Mandates industry-wide standards for healthcare information on electronic billing and other processes
  • Requires the protection and confidential handling of protected health information

Here at IRIS CRM, we are primarily concerned with the third point regarding the standards for protecting healthcare information in electronic billing or other processes. The industry-wide standards for healthcare information covered by HIPAA specifically require “health care providers and organizations, as well as their business associates, to develop and follow procedures that ensure the confidentiality and security of protected health information (PHI) when it is transferred, handled, or shared.”

We are proud to share that IRIS CRM has achieved HIPAA compliance! IRIS CRM has been verified to protect and secure protected health information for users in the Health Care industry. IRIS CRM users can feel secure that all of their data, health care data included, is protected, secured, and stored to the highest standards. 

We take data privacy incredibly seriously, and HIPAA compliance is yet another step we have taken to ensure that users feel confident in IRIS CRM’s ability to protect their important financial and healthcare-related data.


IRIS CRM: Restricted Scope API Approved

All apps that connect with Google APIs to function are required to complete a verification process in order to start sharing the app with the public for the first time. The level of verification depends on the scope of the app’s Google data usage. 

“When you use OAuth 2.0 to get permission from your users to access this data, you use strings called scopes to specify the type of data you want to access and how much access you need,” according to Google. “If your app requests scopes categorized as sensitive or restricted, you will probably need to complete the verification process.”

Sensitive scopes include the Calendar API, People API, and YouTube Data API, while restricted scopes only include the Gmail API, Drive API, and Google Fit APIs. 

If an app requests data included in sensitive scopes, they must follow Google’s API Services User Data Policy. Apps accessing sensitive scopes are not required to undergo an independent, third-party security assessment.

IRIS CRM falls into the final category, as an app that accesses data falling under Google’s restricted scope

Apps accessing restricted scopes are required to fulfill the previous requirements, but they also must meet the Additional Requirements for Specific Scopes. This generally includes an independent, third-party security assessment in which an outside party will test the security and data protection within an app to ensure that the data is being stored and transmitted securely.  

IRIS CRM is approved for Google’s Restricted Scope API, which means we have undergone strict security testing from a third-party vendor and confirmed the safety and security of IRIS CRM when accessing Google APIs.

As an IRIS CRM user, you can feel confident that any data that is accessed via the Google API is secure and safe, no matter how you are using IRIS CRM and our integrations with Google Calendar, Google Maps, Gmail, and the IRIS CRM Sidebar for Gmail extension.


If you’d like to learn more about IRIS CRM, the secure CRM solution for ISOs, request a free guided demonstration with our expert team!