The complexity around PCI compliance is often exaggerated, creating closed systems and walled gardens. Of course, PCI compliance is not a one-time exercise. It requires additional time and effort. But it is no rocket science either.
We intend to simplify PCI compliance from first principles. We have also open sourced our PCI certified card vault application code along with the deployment scripts which you can self-host.
PCI Compliance - Why and What?
The current payment networks are built on a chain of trust between banks, card networks, payment processors and merchants. And the result is that "everyone needs to take responsibility" for secure handling of card information. PCI compliance is not determined not enforced by any Government body. It is a set of standards created by the Payment Card Industry Security Standards Council.
Payment Card Industry Security Standards Council (PCI-SSC), was an independent body created by the card networks in 2006. The independent body publishes and manages PCI security standards. However, the enforcement of these standards falls to the card networks and payment processors
The Payment Card Industry Data Security Standard (PCI DSS) is a comprehensive set of guidelines for global payments designed to fortify the defenses around cardholder data and uphold the integrity of payments.
In this blog, we will look at the levels of PCI compliance, key requirements and we will understand why it is kinda not that hard to obtain PCI compliance.
Demonstrating PCI compliance
Businesses subject to PCI-DSS must annually demonstrate compliance with the regulation. And PCI-DSS lays out two ways of doing so:
Self-Assessment Questionnaire (SAQ): This is an audit or assessment which can be completed by a business without a independent third-party Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA). The person responsible for the payment infrastructure fills out the SAQ. This could be the stakeholder who is the closest to your payment infrastructure - your DevOps Manager, or Information Security Officer, or CTO.
Report on Compliance (ROC): An independent third-party QSA or ISA certified by the PCI-SSC will have to perform the audit and share the findings.
Companies that fall into PCI DSS Levels 2-4 are only required to complete a Self-Assessment Questionnaire (SAQ) and submit to the respective payment processor or acquirer. And that would be all !!
Level of PCI Compliance
Parameter | PCI Level 1 | PCI Level 2 | PCI Level 3 | PCI Level 4 |
---|---|---|---|---|
Sources: Mastercard guidelines, Visa Guidelines, PCI SSC document library
About PCI Requirements and Controls
In general PCI compliance is consolidated into 12 Requirements and 224 controls.
Requirements | Number of Controls |
---|---|
Simplifying your PCI compliance
Self assess your business for PCI compliance
Requirement 9
Requirement 3
This is the reason behind our recommendation of installing a simple setup without the card vault, if your business processes less than 6 million card transactions
Completing the SAQ
There are multiple variants of SAQs applicable for Merchants willing to be PCI compliant. This document explains compliance to SAQ D only.Examples of merchant environments that would use SAQ D includes but not limited to:
- E-commerce merchants who accept cardholder data on their website.
- Merchants with electronic storage of cardholder data
- Merchants that don’t store cardholder data electronically but that do not meet the criteria of another SAQ type
Table of Activity | Description |
---|---|
Simplifying the activities
- Project tracker: A spreadsheet which can be handy to project manage and get above activities completed.
- Documentation templates: Easy to reuse templates for the Documentation and Process
- Scripts: Automation scripts which can help you close most of the Infrastructure activities in few minutes.
You can ping us on slack to get access to the above recipe.