While merchants, Independent Software Vendors, and payment providers are no strangers to the Payment Card Industry Data Security Standard (PCI DSS), the fine print of the objectives and requirements, as well as the practices and tools needed to keep everything in check, are easy to lose track of with ever-updating standards.
In order to ensure that all systems and applications are compliant developers need to make sure they, too, know the ins and outs of the PCI DSS.
What is the Payment Card Industry Data Security Standard (PCI DSS) and what does it look like?
The PCI DSS is a payment security standard that is mandated by the major card brands that make up the Payment Card Industry Security Standards Council (Visa, Mastercard, American Express, JCP International, and Discover Financial Services). While it is not a law, it is a technical requirement for each card brand’s data security compliance program.
Anyone who works with customer credit card information is subject to the PCI compliance regulations, including payment providers, financial institutions, and companies of any kind/size.
The PCI DSS is a set of objectives that aim to keep consumer payment data safe by building and maintaining secure systems and applications.
- Create and maintain secure networks.
- Protect cardholder data.
- Put a vulnerability management program in place.
- Implement strong access control measures.
- Monitor and test networks on a regular basis.
- Establish and maintain an information security policy.
The 12 Requirements of PCI DSS
Each objective comes with one or more requirements (totaling 12) that must be adhered to.
- Install and maintain a firewall to protect data.
- Change default passwords and other vendor defaults.
- Protect stored cardholder data.
- Encrypt any cardholder data that is transmitted over open public networks, and monitor your systems for vulnerabilities.
- Protect against viruses and malware, updating software regularly.
- Develop security measures to protect applications and systems.
- Restrict access to cardholder data to only those who need it.
- Authenticate and identify user access to system components with unique IDs.
- Restrict physical access to cardholder data.
- Track and monitor network resources to oversee user access.
- Regularly test security processes, protocols, and systems.
- Create and maintain a comprehensive information security policy.
Merchant Levels
Additionally, more requirements might be applicable depending on the compliance level of the merchant. (For instance, merchants at Levels 3 and 4 can fill out a self-assessment questionnaire once a year instead of a professional audit.)
- Merchants who annually process more than 6 million transactions across all channels are Level 1.
- Merchants who process 1-6 million transactions are Level 2.
- Merchants who process 20,000-1 million transactions are Level 3.
- Merchants who process less than 20,000 transactions are Level 4.
What are the consequences of noncompliance with the PCI DSS?
- The company could be fined monthly — between $5,000 and $100,000.
- The company could be charged with higher transaction fees.
- The company’s merchant account could be terminated.
- The company could fall victim to data breaches, losing customer payment information to hackers.
Not to mention the reputational risk within the payment processing and credit card space, as well as with the public if a breach were to occur.
While the fines are certainly costly, a data breach is even more detrimental. In addition to the recovery costs, after a breach, a company becomes a Level 1 (meaning it must then undergo the most rigorous assessment process).
How do payments companies (and their software) deal with PCI compliance?
Hosted Payments Pages are third-party web pages (from the payments partner) that allow merchants to securely accept ecommerce payments via a secure payment gateway that outsources the payment process (and therefore the associated PCI compliance requirements).
To implement a Hosted Payment Page, some coding is required. Typically, a form would need to be made in HTML and submitted to the payments company to be hosted separately. But with some products like EPX Hosted Checkout, a user interface is provided for creating the form using drag-and-drop features, so there is no need for the merchant or ISV to code the form. Additionally, the software needs to use secondary API calls to enable the merchant to use tokens for reporting, refunding, and “remembering” the customer for future purchases.
Developers are responsible for staying up to date with the latest secure coding techniques and continuing education related to security systems and processes year over year.
Frequently Asked Questions
Is PCI compliance required by law?
Do you need to hire a professional in order to be PCI compliant?
Who has to comply with PCI standards?
Benefits of PCI Compliance
Conclusion
While it’s not typically the role of a developer to handle vulnerability management, it is important for devs to stay aware of the latest practices, as there are often components that are being used in code that fall under vulnerability management practices that are subject to upgrades and security patches. Managing third-party libraries and testing APIs for code security using the top vulnerability management standards are critical to maintaining data security and PCI compliance. To learn more about developing software that meets PCI-DSS requirements, contact our Sales Engineering team.