Payments Data Platform | Modernbanc
<- Back to all posts
Education

Why you need to be PCI-compliant.

Gregory Gevorkyan image
Gregory Gevorkyan
25 Apr 2024

PCI DSS

Introduction

Payment Card Industry Data Security Standard (PCI DSS) is a set of data security standards that all organizations that store, process or transmit cardholder data are required to comply with.

Why was it introduced?

To help ensure that this sensitive data is handled safely and to protect the cardholders, who take on a risk when they use their card in stores and purchase things online.

If at least one of those providers (ATMs or card machines) are compromised, an attacker can see your Primay Account Number (PAN, a.k.a card number), expiry date, and cvv and would then be able to make fraudulent payments.

Who does PCI DSS apply to?

PCI DSS applies to all organizations that accept or process cardholder data, regardless of the size of the company or the industry it serves.

Even if you're not a payment processor (e.g merchant, data vendor, etc)

PCI DSS applies to all organizations that accept or process cardholder data, regardless of the size of the company or the industry it serves.

What happens if my organization doesn't comply?

Fines vary from $5,000 to $100,000 per month until the merchants achieve compliance. These fines are manageable for a big bank, but it could easily put a business into bankruptcy.

Fines from card networks (Visa, Mastercard, Amex)

Processor termination

Your bank or payment processor (e.g Stripe) may choose to offboard you and terminate your access to their payment services.

Lawsuits

You may become subject to lawsuits taken by consumers or other parties involved.


How can I make my organization PCI compliant?

There are two options:

Build it yourself and go through certification

Takes 12+ months and $100k+ in development cost on lowest transaction tier not including maintenance. This effort can consume all your company resources.

Effort

You’ll have to build encryption infrastructure from scratch. This includes but is not limited to embedding advanced algorithms, building network isolation, VPC-peering, encryption key ring management and rotation, and incorporating mTLS with some providers (e.g. Visa).

PCI is a hassle to manage not just for a startup but for big companies too. For example, RBS had a 3 day outage because the key rotation service bugged out and the only person who understood it was on vacation.


Offload the burden of processing card data

Offboard the burden by letting a PCI-certified entity handle your card data processing. The key here is that your team and your servers never get exposed to or touch underlying card data.

Effort

By offloading the storage and processing of card data, you reduce your burden by 95% to basic organizational controls such as:

  • Periodic review of card workflows
  • Incident Response Management (ICR)
  • Vulnerability scanning on your instances
  • 2FA enabled on company devices
  • Script and Code Dependency Inventory Management
  • Third-Party Risk Management

Modernbanc helps with PCI compliance

Modernbanc provides an end-to-end environent and a Vault solution to either fully offboard PCI card data processing burden or partially alleviate it.

We can help you launch in minutes while you still keep full control of your data.

Control your data like it's in-house!

Operate at any level of abstraction from deploying your own code to manipulating data with our low-code UI editor.

Collecting data:

Processing data:

Process your card data like it's in-house. From our low-code Workflows editor to deploying your own code on Modernbanc Isolates and Docker containers you can operate the data in any way you see fit without exposing it to your app or servers.

Display data:

SOC-2 Type II
PCI-DSS Tier 1