In this post we will talk about PCI DSS, the different types of PCI compliance, the cost and how difficult it is to obtain it.
What is PCI and why does Fintechs talk about it
The Payment Card Industry Data Security Standard, is a set of requirements intended to ensure that all companies that process, store, or transmit credit card information maintain a secure environment.
It was launched on September 7, 2006, to manage PCI security standards and improve account security throughout the transaction process. An independent body created by Visa, MasterCard, American Express, Discover, and JCB, the PCI Security Standards Council (PCI SSC) administers and manages the PCI DSS.
Providers can ensure an outsourcing of PCI requirements
There are several providers globally who can help you by outsourcing the handling of your “CDE” (Cardholder Data Environment) to their centers.
Most of these providers offer an full outsourced solution, where your services is hosted within their hosting center, and where you can’t change anything unless they approve it. One of these providers is american FIS (Fidelity National Information Services).
Some years ago a company call Pay.On in Germany, designed an range of ideas for providing payment flows, where the Payment flow itself is generated on-the-fly and in-the-browser only, without being hosted on neither the merchants server nor on the Payment Gateways own servers.
This method have been reverse engineered and replicated a couple of time, and lays to ground for the ways IPP provides our services.
Thinking forward on your infrastructure
When you are designing your payment infrastructure, you should design based on the idea of not needing the card number itself – but only needing a token provided by your underlaying provider.
By doing so, you can fully avoid the PCI DSS Complexity and only focus on the features and needs that are within your core product range. If you wish to provide an “save credit card” service across Merchants, then you certainly do not need the CC-itself, you just need a token which you can use on multiple Merchants.
The complexity if most often the developers race to the easiest solution, handle the Credit Card details yourself – as you then just can play around with how to use it.
But there is a burden in it – something almost no developer knows about beforehand.
A hidden burden when reaching PCI
If you are working within an environment where Credit Card numbers is being transmitted, stored or handled on your servers, the PCI requirements comes in place.
One of the more “annoying” one – seen from a developer perspective – is that you at least one a year need an official certificate, from a third party, that you know how to write safe code.
Think about it – the developer who have done it for 10 years, now suddently need to take a basis course in OWASP Top 10.
Boring – and annoying for the developers.
This is one of the reasons why we, when we are being consulted on this specific subject, often suggest to avoid transmitting, handling or holding any CDE data internally. It is simply a complexity that most companies don’t forsee.
The cost of PCI DSS
The cost of PCI DSS depends a lot on your environment, and I’ve been in environments where we paid more than €50.000 for the PCI Audit.
I’ve as well been in environments where the cost was only a quarter of it. But it depends on the skills and knowledge for how PCI works.
It is now a matter of pointing fingers at your CTO, saying he or she isn’t good enough – but if they haven’t worked with PCI before, the cost you are facing can be extremely high, and it isn’t their fault.
PCI have a complexity of 12 chapters, and for every chapter there are 10-15 rules.
One of the rules, for example, is that the transmitting of data should only happen internally on secured lines – which means, if you don’t use an VPC (Virtual Private Cloud) for your CDE servers, then does ANY server on your network come in scope. Just to make it worse – if your servers is connected to the same network as your desktops, any desktop comes in scope.
Lets talk about your needs
We always encourage for a free talk about your needs and if you need access to CDE data – and because of that comes in scope of PCI.
If we are to help you scope your needs, please share a network diagram with us, and a couple of lines of your ideal scope and requirements.