The Payment Card Industry Data Security Standard, also known as PCI-DSS (PCI), can be a scary concept—for those new to the payments industry and payments veterans alike—because falling out of compliance with PCI standards can have serious consequences. The payments experts at Finix like to make PCI compliance less scary, by making sure our customers and community are well-informed when accepting card payments.
Overview of PCI Compliance
PCI-DSS is the compliance and security standard created by the Payment Card Industry Security Standards Council (PCI-SSC) that aims to protect cardholder data from theft and reduce instances of credit card fraud. Cardholder data is defined as the Primary Account Number (PAN) alongside any of the following:
- Cardholder name
- Expiration date
- Service code (ex: PINs, CVVs, and etc.)
The PCI-SCC was formed by the leading card brand networks: Visa, MasterCard, Discover, American Express, and JCB International. These card brand networks banded together to create a standard baseline level of protection for buyers and businesses with PCI-DSS. You’ve probably seen news stories about data breaches, revenue loss, and damaged company reputations. The PCI-DSS (and the financial penalties that non-compliance brings) was established to help prevent such data breaches.
PCI-DSS applies to all entities and parties that process, store, and/or transmit cardholder (credit and/or debit) data through their payments products, services and systems, including but not limited to:
- Card-present and card-not-present merchants
- Financial institutions
- Payment facilitators
- Payment processors
- Card networks
The Four Levels of PCI Compliance
The specific level of PCI compliance can vary depending on the business’s annual processing volume and number of payment card transactions. Logically, the more volume you process, the tighter your security needs to be. Each business will fall into one of the PCI levels listed below, with Level 1 being the highest level of security and 4 being the lowest.
|1||Merchants process over 6M in total transactions per year across all channels|
|2||Business processes between 1 to 6M in total transactions per year across all channels|
|3||Business processes between 20K to 1M in total transactions per year across all channels and payment methods|
|4||Business processes levels less than 20K in eCommerce transactions or less than 1M in total transactions per year|
Level 2, 3, and 4 businesses and merchants may satisfy PCI compliance requirements via a Self-Assessment Questionnaire (SAQ), a network scan, and an attestation of a compliance form. The SAQ is a series of questions for each applicable PCI requirement.
Most Payment Facilitators are required to obtain PCI-DSS Service Provider Level 1 compliance, while some may qualify for Level 2, depending on the requirements from their acquiring bank.
Annual PCI Check and Validation
All businesses that store, process, and/or transmit cardholder data are required to complete a PCI compliance form annually. For example, as part of our commitment to PCI-DSS standards, Finix complies with the annual requirement for a Level 1 Service Provider by having an independent data security assessment performed by a Qualified Security Assessor (QSA). The assessor perform an on-site evaluation of the business to:
- Confirm PCI-DSS standards are being met
- Validate the scope of assessment
- Review supporting documentation and technical information
- Evaluate compliance and security controls
- Verify successful recurring penetration testing and network vulnerability scanning
We want Finix customers to know they are in good hands, so we make our most recent PCI Attestation of Compliance (AoC) available by request under a signed non-disclosure agreement.
To find a Qualified Security Assessor (QSA) of your own, check out the PCI SCC’s list of QSAs.
Requirements for PCI Compliance
We’ve discussed who needs to meet PCI compliance requirements, at what levels, with what documentation. Now let’s look at what needs to be built into your card payment systems in order for them to meet PCI standards.
At a high-level, the requirements for PCI compliance include the following:
- Build and maintain secure network systems
- Install and maintain a firewalls and other safeguards to protect cardholder data
- Replace vendor supplied/default security configurations and passwords
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Encrypt and protect cardholder data stored on internal servers
- Develop a vulnerability management program
- Regularly test security systems, software and processes
- Monitor for and patch security vulnerabilities across systems, applications and platforms
- Implement a strong access control program
- Restrict access to cardholder data by businesses need to know
- Restrict physical access to cardholder data
- Restrict access to cardholder data with robust authentication protocols (MFA)
- Regularly test security systems and processes
- Track and monitor all access to network resources and cardholder data
- Develop, test, and maintain secure systems and applications to protect cardholder data
- Maintain a security policy
- Develop, update, and distrite company-wide policies for data security
Defining your PCI Scope
It is important to define the level of PCI compliance your business needs to obtain and maintain. This helps in reducing risk levels and operational costs associated with processing and handling cardholder data. PCI standards apply to all system components and environments that store, process, and transmit cardholder data.
Companies and businesses that handle card data may be subject to all 300+ security controls listed in PCI-DSS, however businesses can minimize their PCI level by enabling solutions that accept and store data. These solutions ensure sensitive cardholder data does not touch system components, minimizing their overall PCI compliance scope.
Finix is a Level 1 PCI-DSS certified service provider, which is the strictest and highest attainable level of PCI compliance. Using the Finix gateway can significantly reduce a business’ PCI compliance requirements.
Minimizing PCI scope
A way to minimize your PCI scope is to use a payment gateway hosted by a PCI Level 1 compliant service provider, like Finix. Businesses that leverage or integrate with third party PCI certified payments gateways can reduce the scope of their PCI compliance through a variety of methods including:
Tokenization is the process of encrypting sensitive data into a non-sensitive equivalent, also known as tokens. Gateways use various security methods such as tokenization to allow you to “store” tokens of card data on your platform.
Use of iFrames
The use of iFrames can also reduce PCI scope. An iFrame (Inline Frame) is an HTML document embedded inside another HTML document (checkout page) on a website. iFrames allow cardholder data to be securely entered, tokenized, and stored on the servers of the payment provider. Finix encourages customers to use our payment gateway with embedded tokenization iFrame to significantly reduce their PCI scope.
Use of Tokenization APIs
The use of a tokenization API allows for a completely customizable card data collection form and user experience within a web or mobile application. There is also additional flexibility when it comes to transmitting card data in large batches. Despite the many added benefits offered by direct API tokenization, the PCI scope associated here is the maximum scope that can be incurred by a business that is not storing card data. This increase in scope is due to the business and its computing systems directly handling the processing and transmission of card data, despite not actually storing it.
Falling out of Compliance
A variety of penalties or actions can be levied and/or taken against you and your business if you fall out of compliance. Some of the penalties or actions possible include but are not limited to:
- Monetary penalties and/or fines ranging from $5,000 and up
- Loss of merchant account
- Payments processor shutting down processing
- Blacklisting from various card networks
These penalties and actions do not even take into account the potential loss of reputation, and trust and respect of your customers.
PCI Compliance Doesn’t Need to be Scary
While you can likely tell by now that PCI Compliance is not something to take lightly, it is something that can be managed efficiently and at scale. Building payments systems in-house generally means that you would need to build and incorporate all of the requirements we’ve talked about from scratch, but working with a technology partner like Finix means you can get to processing payments a lot faster and then get back to thinking about your product and your customers.
Payments technology is not an area for “move fast and break things” kind of thinking, because of the stringent compliance requirements and the risk to you, your merchants and their customers if something should go awry. Compliance is mandatory and necessary for the benefit and protection of both the merchant and the customers, so it’s important to have a technology partner you trust to guide you along the way.