This week, we passed our annual Payment Card Industry Data Security Standard 3.2.1 (PCI DSS Level 1) certification.
Often, #eCommerce and #FinTech companies are hesitant on how to be PCI DSS #compliant and secure payments for their customers. Any business who process a payment card must ensure to comply with the rules, otherwise they face potential fines. The PCI Security Standards Council’s aim is to enhance global #payment account data security by developing these standards.
You must be compliant with PCI DSS dependant on what merchant level your business is classified under. Merchant levels are classified based on how many payment card transactions your business processes annually.
We would like to share our experience and tips from our CTO Sergey Velts.
PCI DSS is intuitive from an information #security perspective. Passing the certification makes your systems and organisation more secure!
For Cybertonica, we passed the certification swiftly. But usually, it takes several weeks to prepare for it. And, another two weeks to pass the audit and penetration tests.
Secure by design: The process is easier if you integrate security from the beginning. Read about DevSecOps and apply it.
Data flow diagrams and STRIDE methodology for threat modelling help a lot and are easily understood by all team members.
SDL (Secure Development Lifecycle) is an important part of compliance and DevSecOps, and helps to complete ISO 27001/9000 later.
Working with a tokenised card data makes certification easier to implement and deploy. We achieved this in two months.
Use a cloud provider who already has been certified for physical and network security, as this will save you time.
If you have questions or are unsure whether you need to be compliant with PCI DSS, our team of experts is ready to help. Get in touch with us via firstname.lastname@example.org.