There are plenty of reasons for enterprises that work with cardholder data to care about payment card industry (PCI) compliance. For starters, maintaining PCI compliance is an essential part of protecting cardholders, reducing fraud, and avoiding damage to your reputation. Additionally, if your organization is found not to be PCI compliant, it will be subject to financial penalties and, ultimately, not allowed to process or handle card transactions. Achieving PCI compliance can be complex and time-consuming. For businesses that want to launch and scale quickly, the burden is onerous. To help you navigate the challenges of PCI compliance, here we’ll provide a crash course on the topic. We’ll also take a look at how Marqeta can help enterprises meet PCI data security standard (DSS) requirements and go to market quickly. What is PCI compliance? PCI compliance is the process of adhering to PCI DSS requirements and security assessment procedures when processing, transmitting, or storing cardholder data (CHD) or sensitive authentication data (SAD). Understanding PCI DSS Let’s run through a quick Q&A to get up to speed on PCI DSS. What is PCI DSS? PCI DSS (Data Security Standards) is a payment industry . It is mandatory for companies that process, store, or transmit cardholder data (CHD) or secure authentication data (SAD) to comply with PCI DSS requirements. PCI DSS details specific technical and operational requirements effectively applicable to anyone that works with cardholder data or associated sensitive authentication data. The current version of PCI DSS, v3.2.1, was published in 2018 and is available for download in the . Version 4 is . standard PCI document library expected to be released in early 2022 Who created PCI DSS? The —an organization created by Visa, MasterCard, American Express, Discover Financial Services, and JCB International in 2006—created and maintains the PCI DSS standards. PCI Security Standard Council (PCI SSC) What’s the purpose of PCI DSS? PCI DSS aims to improve cardholders’ data security and facilitate consistency in the processes used to secure card transactions globally. What is CHD? Cardholder data (CHD) includes primary account number (PAN), cardholder name, expiration date, and service code. PCI DSS allows secure storage of CHD when necessary. What is SAD? Secure authentication data (SAD) includes full magnetic stripe data (or an equivalent such as EMV chip data), CVV2/CVC2/CID number, PIN, or PIN block. In most cases, PCI DSS does permit storage of SAD after authorization, though we’ll cover an exception in the section entitled “Are card issuers subject to PCI DSS compliance?” below. NOT Do I need to comply with PCI DSS? If you process, transmit, or store cardholder data (CHD) or sensitive authentication data (SAD), then, yes, you need to comply with PCI DSS. What is account data? CHD and SAD are collectively referred to as account data. What is CDE? A cardholder data environment (CDE) consists of all the people, processes, and technologies that transmit, store, or process account data in a network. What are the 12 requirements to achieve PCI compliance? The PCI SSC outlines that businesses must meet in order to be PCI compliant. The requirements are grouped under larger categories (or goals) and take a holistic, end-to-end view of CDEs, covering items such as firewall configuration, default passwords, encryption, and even physical access. At first glance, that can be intimidating. For many digital businesses, however, the steps are either consistent with best practices they should follow anyway. 12 high-level requirements By leveraging Marqeta’s platform, an organization can offload of its compliance burden to Marqeta. However, that does not exempt the organization from doing its due diligence to meet any remaining requirements. some For example, Requirement #8 is “Assign a unique ID to each person with computer access.” A company may build its payment card program with the Marqeta platform, but that company still needs to provide unique IDs to its users. What are the PCI compliance levels? Merchants (organizations that accept payment cards) and service providers (organizations that process payments or provide services to acquiring banks and merchants) have different validation requirements to achieve PCI compliance depending on their “level” or “tier”. Typically, an organization’s level is tied to the number of transactions that it processes annually, with Level 1 being the highest. The five major card networks (Visa, MasterCard, American Express, Discover Financial Services, and JCB International) set their own requirements for PCI levels. Because most networks have similar requirements, are a good general reference to understand the basics. Visa’s requirements What’s the difference between PCI compliance and PCI certification? The simple way to think about PCI compliance versus PCI certification is: PCI compliance is your company’s adherence to the twelve PCI DSS requirements. PCI certification, on the other hand, is the verification and attestation that a company is PCI compliant. On the surface, this may sound intimidating and complicated. However, the complexity of the PCI certification process depends on each organization’s PCI merchant level. Any organization that accepts or processes payment cards must be PCI compliant and have PCI certification. Level 1 merchants are those that process more than 6 million Visa, Mastercard, or Discover credit card transactions annually. These merchants are required to complete an annual PCI DSS assessment by a PCI , which results in a final Report on Compliance. Qualified Security Assessor (QSA) The remaining merchant levels (2 through 4) can obtain their PCI Attestation of Compliance (AoC)—which is, ultimately, their certification—by completing a Self-Assessment Questionnaire (SAQ) which documents an organization’s self-assessment of their PCI compliance. companies that leverage the Marqeta platform to build payment card programs fall into the category of Level 4 merchants and are required annually to . Every company, however, should determine their compliance merchant level and their certification requirements by becoming familiar with documentation from the PCI Security Standards Council. Many complete an SAQ-D Are card issuers subject to PCI DSS compliance? In many cases, yes, are subject to PCI DSS. card issuers There was a common misconception that card issuers were exempt from PCI DSS because they have no choice but to store SAD. However, PCI DSS v3.2.1 (at ) clarifies that card issuers with a legitimate business need can store SAD. Issuers are still subject to all other relevant PCI DSS requirements. Section 3.2 Whether your card program is subject to PCI DSS depends on how you handle CHD and SAD. Some of the typical card issuer use cases that require PCI compliance include: Allow cardholders to activate cards in an app or webpage Allow cardholders to set PINs in an app or webpage Display sensitive account data in an app or webpage Card programs with cash withdrawals Card programs with international spending Simplifying PCI compliance Achieving PCI compliance can be a complex and time-consuming process for organizations standing up new card programs. Ensuring account data is securely transmitted, stored, and processed across your CDE can be a nuanced process. This is particularly true for card programs with cash withdrawals and multi-use cards that require PCI Level 1 compliance. One solution, the , helps organizations offload a significant portion—though not the entirety—of the PCI compliance burden. In addition to , Marqeta provides companies with access to a PCI-compliant JavaScript library and multiple PCI-compliant widgets. Let’s take a closer look at those resources and their benefits. Marqeta platform maintaining strict security controls and a PCI DSS Level 1 certification Marqeta.js: A PCI-compliant JavaScript library Marqeta.js is a JavaScript framework that enables you to display sensitive card data in your apps while offloading this aspect of the compliance burden to Marqeta. Marqeta.js injects configurable iframes into HTML. For mobile applications, this requires using WebView. As a result, you can display a virtual card without processing, storing, or transmitting the data on your servers. Additionally, even though you’re offloading the data handling to Marqeta, you can control the styling of the HTML pages to match your app. To get started with Marqeta.js, see . Using Marqeta.js PCI-compliant widgets Some of the most common use cases that make card issuers subject to PCI DSS involve transmitting account data in card and PIN activation workflows. Marqeta offers customizable “Activate Card” and “Set PIN” widgets for these scenarios. These widgets are designed to comply with PCI DSS as it pertains to the storage, transmission, and processing of CHD. To use these widgets, you simply embed the iframe within a parent page in your application and configure it by passing query parameters in the source URL. All the processing is performed on Marqeta’s servers. For mobile applications, native widgets aren’t available yet, but developers can still use embedded iframes in WebView. Check out to get started using these widgets. To get a feel for how you can customize the widgets, see the . Using Activate Card and Set PIN Widgets Marqeta Widget Style Preview In addition to the “Activate card” and “Set PIN” widgets, Marqeta has an in beta. This widget allows users to securely enter payment card data from cards not issued by Marqeta to enable . Add Payment Card Widget push-to-card disbursements Conclusion Ensuring that your organization is PCI compliant is no small task. It requires a strong understanding of what is required of your organization to be complaint what is required to attest that you are compliant. However, the risks of being non-compliant are too great to ignore. and Fortunately, organizations who do their homework and seek help from experts will have a smoother and faster time getting to compliance. One case study discusses how Marqeta helped . By offloading the complexity of PCI compliance to Marqeta, businesses can go to market quickly without compromising security. Ramp to begin transacting over the Visa network within two months

American Express

Discover Financial Services

Mastercard

Stripe

Visa

Handling Sensitive Data: A Primer

Building a Slack App with Native SFDC Integration

I write about technology michael.bogan@gmail.com

Nominated for 2022 - HackerNoon Contributor of the Year - Software Architecture

Nominated for 2022 - HackerNoon Contributor of the Year - Microservices

Nominated for 2022 - HackerNoon Contributor of the Year - Devops

Nominated for 2022 - HackerNoon Contributor of the Year - Api

Nominated for 2022 - Software Developer of the Year

Nominated for 2022 - HackerNoon Contributor of the Year - Software

Too Long; Didn't Read

Boost your HackerNoon story @ $159.99! 🚀

An Introduction to PCI Compliance

An Introduction to PCI Compliance

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Untitled Story

10 Threats to an Open API Ecosystem

10 Ways to Reduce Data Loss and Potential Downtime Of Your Database

10 Reasons to Get Your Cybersecurity Certification

10 Best Tactics For Your WooCommerce Store Security

The Noonification: If Youre a Facebook User, Thousands of Companies Are Watching You (1/19/2024)

10 Threats to an Open API Ecosystem

10 Ways to Reduce Data Loss and Potential Downtime Of Your Database

10 Reasons to Get Your Cybersecurity Certification

10 Best Tactics For Your WooCommerce Store Security

The Noonification: If Youre a Facebook User, Thousands of Companies Are Watching You (1/19/2024)

Light-Mode

Classic

Newspaper

Dark-Mode

Neon Noir

Minty

HN StartUps