What you should know about PCI-DSS automation
PCI-DSS (Payment Card Industry Data Security Standard) is an information security standard that must be adhered to by any organization whose involvement in the process of transacting payments with credit cards includes have personally identifiable information (PII), including cardholder data (CHD) pass through their systems. It is a complex and demanding standard, and the costs associated with remaining in compliance, in both time and money, are substantial: while the amounts vary by the size of the merchant, they can run between $20k for a small enterprise to hundreds of thousands for a business transacting millions of payments.
As a result of the cost pressure of PCI compliance, it makes sense for companies to seek out ways to reduce their exposure. One key pathway to reducing costs is to automate the PCI compliance routine, whether it be by automating the process of filling out Self Assessment Questionnaires (SAQ), or by diverting the responsibility for PCI compliance out of their environment and into that of a third party.
Automating data collection for SAQs
PCI-DSS allows for four levels of certification:
- PCI Level 1: Businesses processing over 6 million transactions per year
- PCI Level 2: Businesses processing 1 million to 6 million transactions per year
- PCI Level 3: Businesses processing 20,000 to 1 million transactions per year
- PCI Level 4: Businesses processing less than 20,000 transactions per year
Each level requires different degrees of scrutiny to achieve certification, with Level 4 being the simplest and Level 1 being the most stringent. Level 1 requires certification by a Qualified Security Advisor (QSA), while Levels 2 - 4 require the merchant to fill out Self Assessment Questionnaires (SAQs), run quarterly penetration tests, and file Attestation of Compliance (AOC) forms. However, if a data breach, or a verified successful cyberattack have occurred then a company supporting any volume of transactions may be called upon to bring in outside auditors to confirm the security of their systems.
The SAQs themselves are long and can be onerous to complete, which is why merchants often look for automation products to reduce the cost in time and resources. Automation can pick up data from systems covered in the compliance scope on an ad hoc or ongoing basis, and, with the right tuning, identify both procedural vulnerabilities and policy breaches in real-time, allowing the company to remediate rapidly and without creating undue risk to their certification.
Basis Theory is one such partner that can help reduce the burden required to complete SAQs. A Basis Theory customer, Passes, was able to complete an SAQ D to get PCI compliance, but the Passes team only had to answer the questions required for an SAQ A-EP, a much shorter form for merchants who outsource their payment channels to compliant third parties like Basis Theory. Patrick Zhang, the tech lead at Passes noted, "I think literally the number of requirements gets reduced by 90%, I think it goes from 215 to 22."
Automating to avoid the need for PCI compliance in the first place
One of the reasons that Payment Service Providers (PSPs) like Stripe gained momentum was that they provided a pathway to keep PII and cardholder data outside merchants’ systems. By using a form on the page that submitted directly to the PSP, merchants could avoid ever ‘seeing’ the data, and thus could remain outside the scope of PCI-DSS.
In return for shielding the merchant from PCI-DSS scope, and for providing a Level 1 PCI-certified environment protecting consumer data, the PSPs charge higher fees than the merchant might pay by storing the details themselves and delivering them directly to a payment gateway. Additionally, the PSP might provide the merchant with a token that can be used for future transactions by the same customer; such a token would only be valid to submit through its originating PSP, so the merchant would not be able to distribute their transactions across a range of PSPs to optimize their cost structure.
Using third party tokenization service provider to automate PCI compliance
A third party tokenization service provider (TSP) like Basis Theory can take the place of the PSP for the purposes of accepting credit card information and shielding the merchant from coming under PCI-DSS scope. The merchant has the PII submitted directly to Basis Theory, and receives a token, which can be used to instruct the TSP to send a translation to substantially any PSP or payment gateway.
This strategy allows the merchant to avoid the need to certify their environment as PCI compliant, and additionally allows them to arbitrage PSPs by using their tokenized access to PII and CHD to submit to any PSP or gateway with whom they build a relationship. As a result, they not only provide Level 1 level protection for their customers’ data, they also open up the opportunity to manage and optimize their payment processing costs.