Overview of PCI-DSS Compliance
So, what is PCI Compliance?
PCI-DSS is the compliance and security standard created by the Payment Card Industry Security Standards Council (PCI-SSC) that aims to protect cardholder data from theft and reduce instances of credit card fraud. Cardholder data is defined as the Primary Account Number (PAN) alongside any of the following:
Service code (ex: PINs, CVVs, and etc.)
The PCI-SCC was formed by the leading card brand networks: Visa, MasterCard, Discover, American Express, and JCB International. These card brand networks banded together to create a standard baseline level of protection for buyers and businesses with PCI-DSS. You’ve probably seen news stories about data breaches, revenue loss, and damaged company reputations. The PCI-DSS (and the financial penalties that non-compliance brings) was established to help prevent such data breaches.
PCI-DSS applies to all entities and parties that process, store, and/or transmit cardholder (credit and/or debit) data through their payments products, services and systems, including but not limited to:
Card-present and card-not-present merchants
Note: PCI compliance does not apply to transactions processed through the ACH (Automated Clearing House) network.
The Four Levels of PCI Compliance
The specific level of PCI compliance can vary depending on the business’s annual processing volume and number of payment card transactions. Logically, the more volume you process, the tighter your security needs to be. Each business will fall into one of the PCI levels listed below, with Level 1 being the highest level of security and 4 being the lowest.
Merchants process over 6M in total transactions per year across all channels
Business processes between 1 to 6M in total transactions per year across all channels
Business processes between 20K to 1M in total transactions per year across all channels and payment methods
Business processes levels less than 20K in eCommerce transactions or less than 1M in total transactions per year
Level 2, 3, and 4 businesses and merchants may satisfy requirements via a Self-Assessment Questionnaire (SAQ), a network scan, and an attestation of a compliance form. The SAQ is a series of questions for each applicable PCI requirement.
Most Payment Facilitators are required to obtain PCI-DSS Service Provider Level 1 compliance, while some may qualify for Level 2, depending on the requirements from their acquiring bank.
Annual PCI Check and Validation
All businesses that store, process, and/or transmit cardholder data are required to complete a form annually. For example, as part of our commitment to PCI-DSS standards, Finix complies with the annual requirement for a Level 1 Service Provider by having an independent data security assessment performed by a Qualified Security Assessor (QSA). The assessor perform an on-site evaluation of the business to:
Confirm PCI-DSS standards are being met
Validate the scope of assessment
Review supporting documentation and technical information
Evaluate compliance and security controls
Verify successful recurring penetration testing and network vulnerability scanning
We want Finix customers to know they are in good hands, so we make our most recent PCI Attestation of Compliance (AoC) available by request under a signed non-disclosure agreement.
To find a Qualified Security Assessor (QSA) of your own, check out the PCI SCC’s list of QSAs.
Requirements for PCI-DSS Compliance
We’ve discussed who needs to meet these requirements, at what levels, with what documentation. Now let’s look at what needs to be built into your card payment systems in order for them to meet PCI standards.
At a high-level, the requirements for PCI compliance include the following:
Build and maintain secure network systems
Install and maintain a firewalls and other safeguards to protect cardholder data
Replace vendor supplied/default security configurations and passwords
Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks
Encrypt and protect cardholder data stored on internal servers
Develop a vulnerability management program
Regularly test security systems, software and processes
Monitor for and patch security vulnerabilities across systems, applications and platforms
Implement a strong access control program
Restrict access to cardholder data by businesses need to know
Restrict physical access to cardholder data
Restrict access to cardholder data with robust authentication protocols (MFA)
Regularly test security systems and processes
Track and monitor all access to network resources and cardholder data
Develop, test, and maintain secure systems and applications to protect cardholder data
Maintain a security policy
Develop, update, and distribute company-wide policies for data security
Defining your PCI Scope
It is important to define the level of PCI compliance your business needs to obtain and maintain. This helps in reducing risk levels and operational costs associated with processing and handling cardholder data. PCI standards apply to all system components and environments that store, process, and transmit cardholder data.
Companies and businesses that handle card data may be subject to all 300+ security controls listed in PCI-DSS, however businesses can minimize their PCI level by enabling solutions that accept and store data. These solutions ensure sensitive cardholder data does not touch system components, minimizing their overall scope.
Finix is a Level 1 PCI-DSS certified service provider, which is the strictest and highest attainable level of PCI compliance. Using the Finix gateway can significantly reduce a business’ requirements.
Minimizing PCI scope
A way to minimize your PCI scope is to use a payment gateway hosted by a PCI Level 1 compliant service provider, like Finix. Businesses that leverage or integrate with third party PCI certified payments gateways can reduce the scope of their PCI compliance through a variety of methods including:
Tokenization is the process of encrypting sensitive data into a non-sensitive equivalent, also known as tokens. Gateways use various security methods such as tokenization to allow you to “store” tokens of card data on your platform.
Use of iFrames
The use of iFrames can also reduce PCI scope. An iFrame (Inline Frame) is an HTML document embedded inside another HTML document (checkout page) on a website. iFrames allow cardholder data to be securely entered, tokenized, and stored on the servers of the payment provider. Finix encourages customers to use our payment gateway with embedded tokenization iFrame to significantly reduce their PCI scope.
Use of Tokenization APIs
The use of a tokenization API allows for a completely customizable card data collection form and user experience within a web or mobile application. There is also additional flexibility when it comes to transmitting card data in large batches. Despite the many added benefits offered by direct API tokenization, the PCI scope associated here is the maximum scope that can be incurred by a business that is not storing card data. This increase in scope is due to the business and its computing systems directly handling the processing and transmission of card data, despite not actually storing it.
Falling out of Compliance
A variety of penalties or actions can be levied and/or taken against you and your business if you fall out of compliance. Some of the penalties or actions possible include but are not limited to:
Monetary penalties and/or fines ranging from $5,000 and up
Loss of merchant account
Payments processor shutting down processing
Blacklisting from various card networks
Note: Factors such as the size of your business as well as the extent of non-compliance also determine how big the fine or penalty you may receive.
These penalties and actions do not even take into account the potential loss of reputation, and trust and respect of your customers.
PCI Compliance Doesn’t Need to be Scary
While you can likely tell by now that PCI Compliance is not something to take lightly, it is something that can be managed efficiently and at scale. Building payments systems in-house generally means that you would need to build and incorporate all of the requirements we’ve talked about from scratch, but working with a technology partner like Finix means you can get to processing payments a lot faster and then get back to thinking about your product and your customers.
Payments technology is not an area for “move fast and break things” kind of thinking, because of the stringent compliance requirements and the risk to you, your merchants and their customers if something should go awry. Compliance is mandatory and necessary for the benefit and protection of both the merchant and the customers, so it’s important to have a technology partner you trust to guide you along the way.
- BlogPublished 11.13.19
Enhanced Dashboard SearchFor small merchants who sell things online or in-store, payments are a pretty straightforward process. A customer selects something to purchase, they use an in-store Point of Sale (POS) system or an online checkout page to pay, submit their method of payment and that’s it! But what about companies that process and settle transactions on behalf of smaller sub-merchants who use their software platforms to power their businesses? These companies can end up processing several hundreds of thousands of transactions per month.
- BlogPublished 07.07.20
Getting Started with Payment FacilitationPayment facilitation is having a moment right now, and rightfully so. Payment facilitation is the model by which growing software companies are increasingly owning, managing, and, most importantly, monetizing their payments. By removing the reliance on 3rd party payment service providers, high-transaction volume software organizations and Independent Software Vendors (ISVs) are reaping considerable gains by cutting out the middleman and taking home a higher percentage of each transaction.
- BlogPublished 10.14.21
Meeting the Challenges of Testing in the Payments SpaceWhen you work in the payments space, merchants (and the platforms that serve them) depend on your technology to be solid and reliable at all times. Their businesses literally depend on it. Everything from onboarding to chargebacks needs to be built with quality in mind.