Enterprise payment processor selection is fundamentally different from how a small business chooses a processor. Enterprise procurement involves security audits, compliance verification, legal review of contract terms, SLA negotiation, and formal scoring across dozens of criteria. This guide provides the enterprise evaluation framework, useful both for large organizations choosing a processor and for mid-market merchants who want to apply enterprise rigor to their decision.
Security Certifications
Verify the following certifications before any processor reaches your shortlist:
- PCI DSS Level 1: The highest level of PCI compliance, requiring an annual assessment by a Qualified Security Assessor (QSA). Any processor handling significant volume should be PCI DSS Level 1 certified. Request the current certificate and verify the assessment date.
- SOC 2 Type II: Validates security controls over a 6–12 month observation period (Type II is more rigorous than Type I, which is a point-in-time assessment). SOC 2 is particularly important for data security and availability.
- ISO 27001: International information security management standard. Not universal in payments, but increasingly expected by enterprise buyers.
- GDPR and data residency: For EU-serving businesses, verify where cardholder data is stored and processed. Data residency requirements may constrain processor selection.
SLA Requirements
| SLA Dimension | Enterprise Baseline | Minimum Acceptable |
|---|---|---|
| Gateway uptime | 99.99% | 99.9% |
| API latency (p99) | <300ms | <500ms |
| Critical incident response | 15 minutes | 1 hour |
| Critical incident resolution | 4 hours | 24 hours |
| Settlement timing | T+1 guaranteed | T+2 typical |
Require historical uptime data (not just SLA targets) for the past 12 months. Ask specifically about major incidents and post-incident reports.
Disaster Recovery and Business Continuity
- What is the processor’s RTO (Recovery Time Objective) and RPO (Recovery Point Objective) in the event of a data center failure?
- Are processing systems geographically redundant?
- What was the longest outage in the past 24 months?
- How are failover decisions made, automatically or manually?
Contract Terms for Enterprise Buyers
- Rate protections: Lock processing rates for the contract term; require notice periods and opt-out rights for any rate changes
- Data portability: Explicit language guaranteeing access to all transaction data and stored payment credentials on contract termination
- Liability caps: Standard contracts often cap liability at one month’s fees, negotiate for a multiple more proportionate to processing volume
- Indemnification: Clarify who bears liability for chargebacks, fraud losses, and regulatory penalties arising from processor infrastructure failures
- Insurance requirements: Many enterprise buyers require processors to carry cyber liability insurance with minimum coverage ($5M–$25M is common)
The Enterprise Scoring Rubric
Score each processor on a 1–5 scale across eight dimensions. Weight dimensions by importance to your business:
| Dimension | Weight | Score (1–5) | Weighted Score |
|---|---|---|---|
| Security certifications | 20% | — | — |
| Authorization rate performance | 20% | — | — |
| SLA and uptime | 15% | — | — |
| Total cost (all fees) | 15% | — | — |
| Fraud and chargeback tools | 10% | — | — |
| Integration quality | 10% | — | — |
| Support quality | 5% | — | — |
| Contract terms | 5% | — | — |
ConvesioPay’s enterprise credentials: PCI DSS Level 1 through Adyen’s infrastructure, direct acquiring with institutional SLAs, flat-rate pricing with complete fee transparency (2.9% + $0.30, no monthly fees), and month-to-month terms with full data portability.
Ready to get started? Learn more about ConvesioPay or view pricing.