PCI - What It Is, and Why You Should Care
As you start researching API Management solutions you'll quickly see that there are a wide range of varying statements about PCI Compliance. I thought it might be a good idea to clear up a few misconceptions about PCI, and tell you why should care about it, even if your company isn't in the Payment Card industry. So first things first, when we talk about PCI, we are normally referring to PCI DSS which is the Payment Card Industry Data Security Standard maintained by the PCI Security Standards Council. The PCI Security Council is an open global forum founded by five global payment brands - American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. It is responsible for the "development, management, education, and awareness" of the PCI Security Standards, with PCI DSS being the keystone standard providing "an actionable framework for developing a robust payment card data security process". The key phrase in all this is "payment card data security process". PCI DSS is all about ensuring that your processes don't compromise payment card data. The bottom line here is that PCI compliance applies to processes and services, not products. It is meaningless to claim that a piece of software is PCI compliant. Offering a PCI compliant service means that you have been through an exhaustive process culminating in an audit (which is repeated at least annually), to ensure that the services you provide to your customers will not compromise payment card data. Achieving PCI compliance for a service is a BIG deal. We've been through the process of achieving PCI DSS compliance and are now certified as a PCI Level 2 Service Provider, and believe me when I say that it is a rigorous process. This means that customers wishing to use APIs for anything involving payment services can legally use our platform - something they couldn't do with most other vendors' solutions. More than that, it means that any customer who cares about the safety of their data can be confident that we operate a service that complies with the most stringent security requirements, and that our processes and procedures are designed and certified to keep their data safe. If you take anything away from this brief discourse, take these two things with you:
- While it's true that PCI DSS Compliance applies to service offerings, not software products, not every software product would be capable of providing the foundation for a PCI compliant service, so if you're going down the route of on-premise software, make sure your vendor has experience with PCI, and ideally has operated a PCI compliant service themselves.
- PCI Compliance has broad relevance outside the payment card industry because it demonstrates a vendor's commitment to security and ability to operate a platform that can keep your business safe.