DEVELOPER

Back to Developer Blog

business

How PCI DSS Compliance Requirements Impact the Development and Implementation of Payment Software

By Brandy Hadden | January 26th, 2024


While merchants, Independent Software Vendors, and payment providers are no strangers to the Payment Card Industry Data Security Standard (PCI DSS), the fine print of the objectives and requirements, as well as the practices and tools needed to keep everything in check, are easy to lose track of with ever-updating standards.

In order to ensure that all systems and applications are compliant developers need to make sure they, too, know the ins and outs of the PCI DSS.

What is the Payment Card Industry Data Security Standard (PCI DSS) and what does it look like?

The PCI DSS is a payment security standard that is mandated by the major card brands that make up the Payment Card Industry Security Standards Council (Visa, Mastercard, American Express, JCP International, and Discover Financial Services). While it is not a law, it is a technical requirement for each card brand’s data security compliance program.

Anyone who works with customer credit card information is subject to the PCI compliance regulations, including payment providers, financial institutions, and companies of any kind/size.

The PCI DSS is a set of objectives that aim to keep consumer payment data safe by building and maintaining secure systems and applications.

  • Create and maintain secure networks.
  • Protect cardholder data.
  • Put a vulnerability management program in place.
  • Implement strong access control measures.
  • Monitor and test networks on a regular basis.
  • Establish and maintain an information security policy.

Get in Touch

Contact us to learn how to add PCI-compliant payments to your business.

The 12 Requirements of PCI DSS

Each objective comes with one or more requirements (totaling 12) that must be adhered to.

  1. Install and maintain a firewall to protect data.
  2. Change default passwords and other vendor defaults.
  3. Protect stored cardholder data.
  4. Encrypt any cardholder data that is transmitted over open public networks, and monitor your systems for vulnerabilities.
  5. Protect against viruses and malware, updating software regularly.
  6. Develop security measures to protect applications and systems.
  7. Restrict access to cardholder data to only those who need it.
  8. Authenticate and identify user access to system components with unique IDs.
  9. Restrict physical access to cardholder data.
  10. Track and monitor network resources to oversee user access.
  11. Regularly test security processes, protocols, and systems.
  12. Create and maintain a comprehensive information security policy.

Merchant Levels

Additionally, more requirements might be applicable depending on the compliance level of the merchant. (For instance, merchants at Levels 3 and 4 can fill out a self-assessment questionnaire once a year instead of a professional audit.)

  • Merchants who annually process more than 6 million transactions across all channels are Level 1.
  • Merchants who process 1-6 million transactions are Level 2.
  • Merchants who process 20,000-1 million transactions are Level 3.
  • Merchants who process less than 20,000 transactions are Level 4.

What are the consequences of noncompliance with the PCI DSS?

If a company doesn’t comply with PCI DSS standards, several things could happen.
  • The company could be fined monthly — between $5,000 and $100,000.
  • The company could be charged with higher transaction fees.
  • The company’s merchant account could be terminated.
  • The company could fall victim to data breaches, losing customer payment information to hackers.

Not to mention the reputational risk within the payment processing and credit card space, as well as with the public if a breach were to occur.

While the fines are certainly costly, a data breach is even more detrimental. In addition to the recovery costs, after a breach, a company becomes a Level 1 (meaning it must then undergo the most rigorous assessment process).

How do payments companies (and their software) deal with PCI compliance?

While these objectives fall directly onto merchants and/or Independent Software Vendors (ISVs), several requirements are best achieved through the payments provider, such as utilizing a Hosted Payments Page.

Hosted Payments Pages are third-party web pages (from the payments partner) that allow merchants to securely accept ecommerce payments via a secure payment gateway that outsources the payment process (and therefore the associated PCI compliance requirements).

To implement a Hosted Payment Page, some coding is required. Typically, a form would need to be made in HTML and submitted to the payments company to be hosted separately. But with some products like EPX Hosted Checkout, a user interface is provided for creating the form using drag-and-drop features, so there is no need for the merchant or ISV to code the form. Additionally, the software needs to use secondary API calls to enable the merchant to use tokens for reporting, refunding, and “remembering” the customer for future purchases.

Developers are responsible for staying up to date with the latest secure coding techniques and continuing education related to security systems and processes year over year.

Frequently Asked Questions

Is PCI compliance required by law?

PCI compliance is not required by U.S. law but it is required to engage in business with the major credit card companies, such as Visa, Mastercard, Discover, etc. Businesses that do not meet PCI regulations may be fined or lose access to the credit card networks for failing to meet their contractual obligations.

Do you need to hire a professional in order to be PCI compliant?

Many payment service partners have programs in place to help businesses obtain PCI compliance. Meeting PCI requirements without the assistance of a payment professional may seem daunting, so it is advised that businesses work with a payment provider, who often has tools and systems in place to make the process easier.

Who has to comply with PCI standards?

Any businesses that accept credit card payments, or even handle, store, or transmit credit card information, must meet PCI requirements.

Benefits of PCI Compliance

PCI compliance helps protect sensitive customer information and prevent data breaches, which continue to rise with the increase in digital payments. Businesses that meet PCI requirements are generally more trusted by customers, can win more business, and reduce online shopping cart abandonment.

Conclusion

While it’s not typically the role of a developer to handle vulnerability management, it is important for devs to stay aware of the latest practices, as there are often components that are being used in code that fall under vulnerability management practices that are subject to upgrades and security patches. Managing third-party libraries and testing APIs for code security using the top vulnerability management standards are critical to maintaining data security and PCI compliance. To learn more about developing software that meets PCI-DSS requirements, contact our Sales Engineering team.


Start your free Developer account and try it now.


©2025 North is a registered DBA of NorthAB, LLC. All rights reserved. North is a registered ISO of BMO Harris Bank N.A., Chicago, IL, Citizens Bank N.A., Providence, RI, The Bancorp Bank, Philadelphia, PA, FFB Bank, Fresno, CA, Wells Fargo Bank, N.A., Concord, CA, and PNC Bank, N.A.