There are plenty of reasons for enterprises that work with cardholder data to care about payment card industry (PCI) compliance. For starters, maintaining PCI compliance is an essential part of protecting cardholders, reducing fraud, and avoiding damage to your reputation. Additionally, if your organization is found not to be PCI compliant, it will be subject to financial penalties and, ultimately, not allowed to process or handle card transactions.
Achieving PCI compliance can be complex and time-consuming. For businesses that want to launch and scale quickly, the burden is onerous. To help you navigate the challenges of PCI compliance, here we’ll provide a crash course on the topic. We’ll also take a look at how Marqeta can help enterprises meet PCI data security standard (DSS) requirements and go to market quickly.
PCI compliance is the process of adhering to PCI DSS requirements and security assessment procedures when processing, transmitting, or storing cardholder data (CHD) or sensitive authentication data (SAD).
Let’s run through a quick Q&A to get up to speed on PCI DSS.
PCI DSS (Data Security Standards) is a payment industry standard. It is mandatory for companies that process, store, or transmit cardholder data (CHD) or secure authentication data (SAD) to comply with PCI DSS requirements. PCI DSS details specific technical and operational requirements effectively applicable to anyone that works with cardholder data or associated sensitive authentication data. The current version of PCI DSS, v3.2.1, was published in 2018 and is available for download in the PCI document library. Version 4 is expected to be released in early 2022.
The PCI Security Standard Council (PCI SSC)—an organization created by Visa, MasterCard, American Express, Discover Financial Services, and JCB International in 2006—created and maintains the PCI DSS standards.
PCI DSS aims to improve cardholders’ data security and facilitate consistency in the processes used to secure card transactions globally.
Cardholder data (CHD) includes primary account number (PAN), cardholder name, expiration date, and service code. PCI DSS allows secure storage of CHD when necessary.
Secure authentication data (SAD) includes full magnetic stripe data (or an equivalent such as EMV chip data), CVV2/CVC2/CID number, PIN, or PIN block. In most cases, PCI DSS does NOT permit storage of SAD after authorization, though we’ll cover an exception in the section entitled “Are card issuers subject to PCI DSS compliance?” below.
If you process, transmit, or store cardholder data (CHD) or sensitive authentication data (SAD), then, yes, you need to comply with PCI DSS.
CHD and SAD are collectively referred to as account data.
A cardholder data environment (CDE) consists of all the people, processes, and technologies that transmit, store, or process account data in a network.
The PCI SSC outlines 12 high-level requirements that businesses must meet in order to be PCI compliant. The requirements are grouped under larger categories (or goals) and take a holistic, end-to-end view of CDEs, covering items such as firewall configuration, default passwords, encryption, and even physical access. At first glance, that can be intimidating. For many digital businesses, however, the steps are either consistent with best practices they should follow anyway. By leveraging Marqeta’s platform, an organization can offload some of its compliance burden to Marqeta. However, that does not exempt the organization from doing its due diligence to meet any remaining requirements.
For example, Requirement #8 is “Assign a unique ID to each person with computer access.” A company may build its payment card program with the Marqeta platform, but that company still needs to provide unique IDs to its users.
Merchants (organizations that accept payment cards) and service providers (organizations that process payments or provide services to acquiring banks and merchants) have different validation requirements to achieve PCI compliance depending on their “level” or “tier”. Typically, an organization’s level is tied to the number of transactions that it processes annually, with Level 1 being the highest.
The five major card networks (Visa, MasterCard, American Express, Discover Financial Services, and JCB International) set their own requirements for PCI levels. Because most networks have similar requirements, Visa’s requirements are a good general reference to understand the basics.
The simple way to think about PCI compliance versus PCI certification is: PCI compliance is your company’s adherence to the twelve PCI DSS requirements. PCI certification, on the other hand, is the verification and attestation that a company is PCI compliant.
Any organization that accepts or processes payment cards must be PCI compliant and have PCI certification. On the surface, this may sound intimidating and complicated. However, the complexity of the PCI certification process depends on each organization’s PCI merchant level.
Level 1 merchants are those that process more than 6 million Visa, Mastercard, or Discover credit card transactions annually. These merchants are required to complete an annual PCI DSS assessment by a PCI Qualified Security Assessor (QSA), which results in a final Report on Compliance.
The remaining merchant levels (2 through 4) can obtain their PCI Attestation of Compliance (AoC)—which is, ultimately, their certification—by completing a Self-Assessment Questionnaire (SAQ) which documents an organization’s self-assessment of their PCI compliance.
Many companies that leverage the Marqeta platform to build payment card programs fall into the category of Level 4 merchants and are required annually to complete an SAQ-D. Every company, however, should determine their compliance merchant level and their certification requirements by becoming familiar with documentation from the PCI Security Standards Council.
In many cases, yes, card issuers are subject to PCI DSS.
There was a common misconception that card issuers were exempt from PCI DSS because they have no choice but to store SAD. However, PCI DSS v3.2.1 (at Section 3.2) clarifies that card issuers with a legitimate business need can store SAD. Issuers are still subject to all other relevant PCI DSS requirements.
Whether your card program is subject to PCI DSS depends on how you handle CHD and SAD. Some of the typical card issuer use cases that require PCI compliance include:
- Allow cardholders to activate cards in an app or webpage
- Allow cardholders to set PINs in an app or webpage
- Display sensitive account data in an app or webpage
- Card programs with cash withdrawals
- Card programs with international spending
Achieving PCI compliance can be a complex and time-consuming process for organizations standing up new card programs. Ensuring account data is securely transmitted, stored, and processed across your CDE can be a nuanced process. This is particularly true for card programs with cash withdrawals and multi-use cards that require PCI Level 1 compliance.
Additionally, even though you’re offloading the data handling to Marqeta, you can control the styling of the HTML pages to match your app. To get started with Marqeta.js, see Using Marqeta.js.
Some of the most common use cases that make card issuers subject to PCI DSS involve transmitting account data in card and PIN activation workflows. Marqeta offers customizable “Activate Card” and “Set PIN” widgets for these scenarios. These widgets are designed to comply with PCI DSS as it pertains to the storage, transmission, and processing of CHD.
To use these widgets, you simply embed the iframe within a parent page in your application and configure it by passing query parameters in the source URL. All the processing is performed on Marqeta’s servers. For mobile applications, native widgets aren’t available yet, but developers can still use embedded iframes in WebView.
In addition to the “Activate card” and “Set PIN” widgets, Marqeta has an Add Payment Card Widget in beta. This widget allows users to securely enter payment card data from cards not issued by Marqeta to enable push-to-card disbursements.
Ensuring that your organization is PCI compliant is no small task. It requires a strong understanding of what is required of your organization to be complaint and what is required to attest that you are compliant. However, the risks of being non-compliant are too great to ignore.
Fortunately, organizations who do their homework and seek help from experts will have a smoother and faster time getting to compliance. One case study discusses how Marqeta helped Ramp to begin transacting over the Visa network within two months. By offloading the complexity of PCI compliance to Marqeta, businesses can go to market quickly without compromising security.