So, what is PCI Compliance?

PCI-DSS is the compliance and security standard created by the Payment Card Industry Security Standards Council (PCI-SSC) that aims to protect cardholder data from theft and reduce instances of credit card fraud. Cardholder data is defined as the Primary Account Number (PAN) alongside any of the following:

• Cardholder name

• Expiration date

• Service code (ex: PINs, CVVs, and etc.)

The PCI-SCC was formed by the leading card brand networks: Visa, MasterCard, Discover, American Express, and JCB International. These card brand networks banded together to create a standard baseline level of protection for buyers and businesses with PCI-DSS. You’ve probably seen news stories about data breaches, revenue loss, and damaged company reputations. The PCI-DSS (and the financial penalties that non-compliance brings) was established to help prevent such data breaches.

PCI-DSS applies to all entities and parties that process, store, and/or transmit cardholder (credit and/or debit) data through their payments products, services and systems, including but not limited to:

• Card-present and card-not-present merchants

• Financial institutions

• Payment facilitators

• Marketplaces

• Payment processors

• Card networks

Note: PCI compliance does not apply to transactions processed through the ACH (Automated Clearing House) network.

The specific level of PCI compliance can vary depending on the business’s annual processing volume and number of payment card transactions. Logically, the more volume you process, the tighter your security needs to be. Each business will fall into one of the PCI levels listed below, with Level 1 being the highest level of security and 4 being the lowest.

1. Merchants process over 6M in total transactions per year across all channels

2. Business processes between 1 to 6M in total transactions per year across all channels

3. Business processes between 20K to 1M in total transactions per year across all channels and payment methods

4. Business processes levels less than 20K in eCommerce transactions or less than 1M in total transactions per year

Level 2, 3, and 4 businesses and merchants may satisfy requirements via a Self-Assessment Questionnaire (SAQ), a network scan, and an attestation of a compliance form. The SAQ is a series of questions for each applicable PCI requirement.

Most Payment Facilitators are required to obtain PCI-DSS Service Provider Level 1 compliance, while some may qualify for Level 2, depending on the requirements from their acquiring bank.

All businesses that store, process, and/or transmit cardholder data are required to complete a form annually. For example, as part of our commitment to PCI-DSS standards, Finix complies with the annual requirement for a Level 1 Service Provider by having an independent data security assessment performed by a Qualified Security Assessor (QSA). The assessor perform an on-site evaluation of the business to:

• Confirm PCI-DSS standards are being met

• Validate the scope of assessment

• Review supporting documentation and technical information

• Evaluate compliance and security controls

• Verify successful recurring penetration testing and network vulnerability scanning

We want Finix customers to know they are in good hands, so we make our most recent PCI Attestation of Compliance (AoC) available by request under a signed non-disclosure agreement.

To find a Qualified Security Assessor (QSA) of your own, check out the PCI SCC’s list of QSAs.

We’ve discussed who needs to meet these requirements, at what levels, with what documentation. Now let’s look at what needs to be built into your card payment systems in order for them to meet PCI standards.

At a high-level, the requirements for PCI compliance include the following:

1. Build and maintain secure network systems

   • Install and maintain a firewalls and other safeguards to protect cardholder data

   • Replace vendor supplied/default security configurations and passwords

2. Protect stored cardholder data

   • Encrypt transmission of cardholder data across open, public networks

   • Encrypt and protect cardholder data stored on internal servers

3. Develop a vulnerability management program

   • Regularly test security systems, software and processes

   • Monitor for and patch security vulnerabilities across systems, applications and platforms

4. Implement a strong access control program

   • Restrict access to cardholder data by businesses need to know

   • Restrict physical access to cardholder data

   • Restrict access to cardholder data with robust authentication protocols (MFA)

5. Regularly test security systems and processes

   • Track and monitor all access to network resources and cardholder data

   • Develop, test, and maintain secure systems and applications to protect cardholder data

6. Maintain a security policy

   • Develop, update, and distribute company-wide policies for data security

It is important to define the level of PCI compliance your business needs to obtain and maintain. This helps in reducing risk levels and operational costs associated with processing and handling cardholder data. PCI standards apply to all system components and environments that store, process, and transmit cardholder data.

Companies and businesses that handle card data may be subject to all 300+ security controls listed in PCI-DSS, however businesses can minimize their PCI level by enabling solutions that accept and store data. These solutions ensure sensitive cardholder data does not touch system components, minimizing their overall scope.

Finix is a Level 1 PCI-DSS certified service provider, which is the strictest and highest attainable level of PCI compliance. Using the Finix gateway can significantly reduce a business’ requirements.

A way to minimize your PCI scope is to use a payment gateway hosted by a PCI Level 1 compliant service provider, like Finix. Businesses that leverage or integrate with third party PCI certified payments gateways can reduce the scope of their PCI compliance through a variety of methods including: 

Tokenization

Tokenization is the process of encrypting sensitive data into a non-sensitive equivalent, also known as tokens. Gateways use various security methods such as tokenization to allow you to “store” tokens of card data on your platform.

Use of iFrames

The use of iFrames can also reduce PCI scope. An iFrame (Inline Frame) is an HTML document embedded inside another HTML document (checkout page) on a website. iFrames allow cardholder data to be securely entered, tokenized, and stored on the servers of the payment provider. Finix encourages customers to use our payment gateway with embedded tokenization iFrame to significantly reduce their PCI scope.

Use of Tokenization APIs

The use of a tokenization API allows for a completely customizable card data collection form and user experience within a web or mobile application. There is also additional flexibility when it comes to transmitting card data in large batches. Despite the many added benefits offered by direct API tokenization, the PCI scope associated here is the maximum scope that can be incurred by a business that is not storing card data. This increase in scope is due to the business and its computing systems directly handling the processing and transmission of card data, despite not actually storing it.

A variety of penalties or actions can be levied and/or taken against you and your business if you fall out of compliance. Some of the penalties or actions possible include but are not limited to:

• Monetary penalties and/or fines ranging from $5,000 and up

• Loss of merchant account

• Payments processor shutting down processing

• Blacklisting from various card networks

Note: Factors such as the size of your business as well as the extent of non-compliance also determine how big the fine or penalty you may receive.

These penalties and actions do not even take into account the potential loss of reputation, and trust and respect of your customers. 

While you can likely tell by now that PCI Compliance is not something to take lightly, it is something that can be managed efficiently and at scale. Building payments systems in-house generally means that you would need to build and incorporate all of the requirements we’ve talked about from scratch, but working with a technology partner like Finix means you can get to processing payments a lot faster and then get back to thinking about your product and your customers.

Payments technology is not an area for “move fast and break things” kind of thinking, because of the stringent compliance requirements and the risk to you, your merchants and their customers if something should go awry. Compliance is mandatory and necessary for the benefit and protection of both the merchant and the customers, so it’s important to have a technology partner you trust to guide you along the way.