PCI DSS
Introduction
Payment Card Industry Data Security Standard (PCI DSS) is a set of data security standards that all organizations that store, process or transmit cardholder data are required to comply with.
Why was it introduced?
To help ensure that this sensitive data is handled safely and to protect the cardholders, who take on a risk when they use their card in stores and purchase things online.
If at least one of those providers (ATMs or card machines) are compromised, an attacker can see your Primay Account Number (PAN, a.k.a card number), expiry date, and cvv and would then be able to make fraudulent payments.
Who does PCI DSS apply to?
PCI DSS applies to all organizations that accept or process cardholder data, regardless of the size of the company or the industry it serves.
PCI DSS applies to all organizations that accept or process cardholder data, regardless of the size of the company or the industry it serves.
What happens if my organization doesn't comply?
Fines vary from $5,000 to $100,000 per month until the merchants achieve compliance. These fines are manageable for a big bank, but it could easily put a business into bankruptcy.
Fines from card networks (Visa, Mastercard, Amex)
- Fines for non-compliance can range from $5,000 to $100,000 per month until compliance is achieved.
- In case of data breach costs can significantly increase. These can include fines per cardholder data compromised, which can range from $50 to $90 per card.
- There can also be additional fines for violations of compliance standards, which can exceed millions of dollars.
Processor termination
Your bank or payment processor (e.g Stripe) may choose to offboard you and terminate your access to their payment services.
Lawsuits
You may become subject to lawsuits taken by consumers or other parties involved.
How can I make my organization PCI compliant?
There are two options:
Build it yourself and go through certification
Takes 12+ months and $100k+ in development cost on lowest transaction tier not including maintenance. This effort can consume all your company resources.
Effort
You’ll have to build encryption infrastructure from scratch. This includes but is not limited to embedding advanced algorithms, building network isolation, VPC-peering, encryption key ring management and rotation, and incorporating mTLS with some providers (e.g. Visa).
PCI is a hassle to manage not just for a startup but for big companies too. For example, RBS had a 3 day outage because the key rotation service bugged out and the only person who understood it was on vacation.
Offload the burden of processing card data
Offboard the burden by letting a PCI-certified entity handle your card data processing. The key here is that your team and your servers never get exposed to or touch underlying card data.
Effort
By offloading the storage and processing of card data, you reduce your burden by 95% to basic organizational controls such as:
- Periodic review of card workflows
- Incident Response Management (ICR)
- Vulnerability scanning on your instances
- 2FA enabled on company devices
- Script and Code Dependency Inventory Management
- Third-Party Risk Management
Modernbanc helps with PCI compliance
Modernbanc provides an end-to-end environent and a Vault solution to either fully offboard PCI card data processing burden or partially alleviate it.
We can help you launch in minutes while you still keep full control of your data.
Operate at any level of abstraction from deploying your own code to manipulating data with our low-code UI editor.
Collecting data:
- From your users: with our native unstyled components.
- From payments processors: read APIs, emails or SFTP with our workflows.
- Directly: create in Modernbanc UI or post with the API.
Processing data:
Process your card data like it's in-house. From our low-code Workflows editor to deploying your own code on Modernbanc Isolates and Docker containers you can operate the data in any way you see fit without exposing it to your app or servers.
Display data:
- Reveal data your users: with our unstyled output elements.
- Integrate any processor, make payments and send data with our workflows.