As you start researching API Management solutions you'll quickly see that there are a wide range of varying statements about PCI Compliance. I thought it might be a good idea to clear up a few misconceptions about PCI, and tell you why should care about it, even if your company isn't in the Payment Card industry.
First things first, when we talk about PCI, we are normally referring to PCI DSS which is the Payment Card Industry Data Security Standard maintained by the PCI Security Standards Council. The PCI Security Council is an open global forum founded by five global payment brands - American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.
It is responsible for the "development, management, education, and awareness" of the PCI Security Standards, with PCI DSS being the keystone standard providing "an actionable framework for developing a robust payment card data security process". The key phrase in all this is "payment card data security process". PCI DSS is all about ensuring that your processes don't compromise payment card data. The bottom line here is that PCI compliance applies to processes and services, not products.
In addition to PCI DSS, you must also be compliant with the Payment Application Data Security Standard (PA-DSS). The security standard outlines the requirements for how to store, process, and transmit cardholder data, and sensitive authentication data.
It is meaningless to claim that a piece of software is PCI compliant. Offering a PCI compliant service means that you have been through an exhaustive process culminating in an audit (which is repeated at least annually), to ensure that the services you provide to your customers will not compromise payment card data. Achieving PCI compliance for a service is a BIG deal. We've been through the process of achieving PCI DSS compliance and are now certified as a PCI Level 2 Service Provider, and believe me when I say that it is a rigorous process.
This means that customers wishing to use APIs for anything involving payment services can legally use our platform - something they couldn't do with most other vendors' solutions. More than that, it means that any customer who cares about the safety of their data can be confident that we operate a service that complies with the most stringent security requirements, and that our processes and procedures are designed and certified to keep their data safe.
If you take anything away from this brief discourse, take these two things with you:
See how easy it is to apply security policies across your API portfolio with the Akana platform. Sign up for a free 30-day trial to get started.
VP of Product Management, Akana
Ian Goldsmith drives product and market strategy for Akana API management at Perforce. He focuses his energies on digital innovation and technology adoption in large enterprises, having successfully completed several cryptography and secure messaging projects with U.S. and international defense and intelligence agencies. He holds a master’s degree in computer science from Cambridge University and is a frequent speaker and panelist at technology conferences.