The modern consumer demands convenience. Last year, over two billion people completed their transactions online, with sales surpassing the $4.2 trillion mark. Enabling your customers to make in-app purchases and payments is no longer considered nice to have; it’s expected. But with great UX comes great responsibility, and protecting cardholder data (CHD) should be at the forefront of every mobile app developer's mind.
Your app will need to comply with the Payment Card Industry Data Security Standard (PCI DSS) whether you encourage customers to enroll in auto-pay or transact via marketplace chat. Failure to gain and maintain PCI DSS compliance can result in customer data breaches and monthly fines ranging from $5,000 to $100,000.
After reading this article, you will understand what PCI DSS compliance is, how to gain compliance as a new business, the top three design requirements to keep in mind during app development, and how to maintain your compliance.
What is PCI DSS?
Think of the Payment Card Industry Data Security Standard (PCI DSS) as the law of the land when it comes to electronic payment security. Whether you’re a bootstrapped start-up or a global enterprise, meeting this standard is required for any company that accepts, processes, stores, or transmits CHD. These businesses must maintain their PCI DSS compliance to continue servicing customers and must validate their compliance annually.
Two parties share creation, management, and enforcement duties for PCI DSS. The first one is the Payment Card Industry Security Standards Council (PCI SSC). The council was formed in 2006 to focus on improving the payment security of digital transactions. Their role is one of more ideation, management, and evaluation of the 12 requirements to make sure that they remain relevant to the current state of the world. The second party comprises major credit card companies, like Visa, MasterCard, AmEx, Discover, and JCB. This party created the data security standards and is responsible for enforcing compliance.
The 12 PCI DSS Requirements Are:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by need-to-know business
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel
It’s quite a list, and each bullet seems to touch on a more serious issue than the last. Don’t tackle all of the requirements at once. Instead, you should first define your PCI DSS scope. Your scope is the combination of people, processes, and technologies that interact with or could otherwise impact cardholder data security (CHD). By reducing your scope, you’ll in turn reduce your compliance costs, operations costs, and risk associated with interacting with payment card data.
Achieving PCI DSS Compliance as a New Business
Unless you’re opening a cash-only ice cream shop, most companies these days will interact with CHD at one point or another. Becoming PCI DSS compliant is non-negotiable. However, the somewhat lengthy and laborious process of gaining compliance can pay off in other ways for new businesses on the block. For example, an app that earns PCI DSS compliance might increase its perceived level of trustworthiness and legitimacy to prospective users. Customer acquisition is typically high on the priority list for fledgling companies.
For particularly security-minded prospects, seeing a PCI DSS compliance certificate could be the difference between them using your app versus competitors’.
Another piece of good news is that both new and small businesses typically fall into the fourth level of PCI compliance and don’t require full-blown, expensive PCI DSS compliance audits. Instead, they are the perfect candidates for quality security assessors. Qualified Security Assessor (QSA) companies are independent security organizations that the PCI Security Standards Council has qualified to validate an entity’s adherence to PCI DSS.
These consultations are particularly helpful for new companies because all QSAs have the network design experience and security training needed to conduct these technical and complex security assessments. Even for apps with a small customer base, the payment card technology environment has evolved into a complex system that requires specific IT skills to ensure security measures meet the ever-changing PCI requirements.
Top 3 PCI DSS Design Requirements for Apps
If you scan back up to the list of the 12 total requirements for PCI DSS compliance, pay special attention to numbers three, four, and six. Now, read on to better understand the role those three will play in both your chat app development and compliance journey.
Requirement #3: Protect Stored CHD
We’ve mentioned the term cardholder data (CHD) a few times already, but you’re probably wondering what exact data that term encompasses. Data from a cardholder includes any information that is processed, printed, stored, or transmitted from the payment card. Apps that accept payment by credit card must protect CHD and prevent unauthorized use, regardless of printed or electronically stored data.
Generally, no data from cardholders should ever be stored. The sensitive data mentioned on the magnetic stripe should never be stored, but if you must, render it unreadable if you need to keep the permanent account number (PAN) details.
Let’s get technical for a minute. Similar to the considerations a product development team makes when designing apps for other industries that also require compliance, here are some of the functionalities necessary to include when developing a secure payment messaging app:
- Data storage and retention time should be limited. Purge all unnecessary data at least once per quarter.
- Upon approval, sensitive authentication information should not be stored, even if encrypted. However, if there is a viable business justification and securely stored data, issuers can store the authentication data.
- When shown, mask PAN details. The only ones you can offer are the first six or the last four digits.
- Wherever it is stored, render PAN unreadable. Including digital media, logs, backup media, and wireless network data.
- Protect the keys used for cardholder data encryption from misuse and disclosure.
- Companies should fully document and implement the appropriate key management procedure and process for the cryptographic keys used to encrypt CHD.
Requirement #4: Encrypt the Transmission of CHD Across Open, Public Networks
Hackers can easily intercept the transmission of CHD over free, unprotected public networks. Shielding private data from threats is critical, and data encryption is the perfect, PCI DSS-compliant solution.
App development teams should use robust security protocols and encryption such as TLS / SSL and IPSec or SSH to safeguard cardholders’ sensitive data during transmissions, even on public networks. Not only will this keep your application compliant, but it will offer a massive bonus to users in the form of convenience if they are unable to connect to a secure network during their transactions.
Requirement #6: Develop & Maintain Secure Systems & Applications
This requirement of PCI DSS compliance is essential to product managers and developers working on any new app with secure payment messaging in mind. Requirement number six refers to developing external and internal applications deemed within the scope of PCI DSS enforcement. In this case, any app intended to collect, store, and transmit CHD will need to meet PCI DSS standards and the Payment Application Data Security Standard (PA DSS).
To earn compliance for this requirement, you’ll need to document all the software and tools to develop your app. Be sure to report the details of the conceptualizing, designing, researching, and testing of each part of the product development lifecycle. Because software libraries and tools are frequently updated, you must keep your list up to date. Once you’ve established your list, it’s a good idea to create a process for making updates to it if a new version of one of your tools comes out, etc.
How to Establish & Maintain PCI DSS Compliance
You can accomplish PCI DSS compliance in two phases. The first is to achieve a PCI DSS compliance status, starting with creating a PCI compliance checklist.
The second is to maintain compliant status. Remaining compliant is difficult to achieve, partly due to misconceptions that compliance is simply about following the PCI DSS audit checklist.
The “big secret” to maintaining compliance is to develop and respect your documentation process. If your document is regularly updated, you should be ready for a compliance check at any time; and if you’re not, you’ll be able to identify why and make a swift correction.
The ability to maintain continuous compliance ensures that your working environment is up to PCI standards and fit for guarding customer data. A few steps you can take towards preserving compliance include:
- A plan for access control
- Policy development to align with PCI DSS requirements
- Keeping and maintaining detailed records
- Oversight management
- Regular testing to measure vulnerabilities
PCI DSS compliance is essential to both the security of your customers’ data and the future of your business. Remember those noncompliance fines? Ouch! While earning compliance positions your app as trustworthy to customers, the intensive documentation practices required to maintain it will encourage your team to stay sharp and curious when evaluating the tools they use to develop the app.
Start your journey towards PCI DSS compliance by familiarizing yourself with the 12 requirements, then narrow your scope and hone in on the three to four that seem the most attainable for your business to meet. To successfully launch and scale your compliant secure payment messaging app, apply the theme from this article of determining manageable scope to all aspects of the development process. For example, by looking to a third-party vendor for a chat SDK, you can avoid worrying about the scalability of your chat infrastructure, receive top-notch customer support, and save time that you can put towards the PCI DSS compliance process. The road to gaining PCI DSS compliance can be long and tedious; outsourcing some aspects of your app development can make all the difference.
1. What is PCI DSS?
PCI DSS is a set of standards required by law to secure the CHD within the application and inside the organization that saves the information.
2. How to become PCI Compliant?
Five items that should be at the top of your PCI compliance checklist:
- Analysis of your compliance level
- Filling out of Self Assessment Questionnaire
- Making necessary changes/filling shortcomings
- Completing an attestation of compliance
- Filing of paperwork
3. What are the PCI Compliance Levels?
All organizations that store, use, or transmit cardholder data for conducting their business require PCI DSS compliance. But the requirements vary according to the business transactions – which divides the compliance into four levels.
Level IV: Merchant processing is less than 20,000 transactions annually.
Level III: Merchant processing is in the range of 20,000 to 1 million transactions annually.
Level II: Merchant processing is between 1 to 6 million transactions annually.
Level I: Merchant processing is more than 6 million transactions annually.
4. What does PCI Compliance mean for the fintech app business?
A fintech app business that is PCI compliant is legally prepared to work around users’ card details for their process. Fintech companies that are not PCI compliant are not allowed to work around CHD and can face severe financial consequences like — fees, fines, and even loss of business. Consequences such as these make PCI compliance software development for fintech apps an absolute must.
5. Is the PCI DSS Certificate required when using a payment gateway?
Yes, it is required. Payment gateway integration does not mean that you do not have to acquire a PCI DSS certificate. In any case, how you add a payment gateway to your application or site will characterize the degree of compliance.
6. What is the relationship between PA DSS and PCI DSS?
The PA DSS is the standard for developers and the integrators of mobile payment applications that use card information for authorization and settlement. The apps should be sold, distributed, or licensed to third parties to achieve PA DSS compliance.