Why instant global payments are a must for US financial service providers
According to a recent industry report, customers who receive instant money transfers have a 6% higher retention rate compared to those waiting over 48 hours...
Part of the job of a service engineer is to make sure the environment hosting credit card data is up and running 24/7 and even more importantly protect the environment from hackers and other unauthorized access. You also need to ensure that you meet the PCI DSS and pass the external audits.
Before we jump forward, very briefly on the what and why.
Payment card industry data security standard – is a set of requirements developed to ensure any merchant/business handling credit card data has a good grip on security. The standard is developed by PCI DSS council. The initiative to create the council and PCI DSS comes from the biggest credit card companies (Visa, MasterCard, Amex etc) as having weak security around processing credit card data is simply bad for business.
Why should one care about PCI DSS?
If you are a business and want to store credit card data of your customers in your managed environment you should, according to PCI DSS council, be PCI DSS compliant. If you are not compliant and still go forward with handling credit card data you risk lawsuits / payment partners and banks refusing to work with you and more.¹
Here are a few things to keep in mind:
Start by looking at the existing online service and systems that you already have and see how well they match with PCI DSS either by hiring a compliance expert or reviewing the PCI DSS requirements yourself – they are available for free online. This would give you a good idea of how much extra effort you would have to plan for when creating the actual PCI DSS compliant environment. Depending on your company's current security practices building a PCI DSS compliant environment might be a small project or a massive endeavour.
For example for a company where systems security is well developed getting PCI DSS compliant might mean just tweaking some configurations (ie changing logging configuration for some systems and applications) and specifying some security procedures (i.e., having a PCI Incident management process and roles in place).
On the other hand, if security has been an afterthought then building a PCI DSS compliant environment and keeping it PCI DSS compliant will be quite an undertaking.
Assuming you want to go forward with building PCI environment, the actual first step towards building it would be creating a diagram that describes the environment and the intended business logic flow (where is credit card data entered into your system, which applications capture the data, which database stores it, which networks are hosting these applications, which firewalls are involved etc).
With help of the diagram you should have the PCI DSS scope in place – meaning you should know, which applications/systems/networks need to follow PCI DSS and which teams and engineers will be involved in both building the environment as well as keeping the environment PCI DSS compliant in the future. As mentioned earlier there is overhead for the involved engineers to keep an environment PCI DSS compliant, a lot of things can be automated but even then.
After a high level network/business logic flow diagram for storing credit card data is in place you should again make a sanity check against PCI DSS. Either with help of an expert or step by step going through each and every requirement in PCI DSS and seeing how well it matches with what you are planning to build. Make changes as needed to be compliant and done. Build what you have in the diagram.
PCI DSS requirements are written out quite well. So you should not be afraid to assess your diagram against the requirements yourself. In addition to each requirements description the PCI DSS also includes notes on how to test that this requirement is met as well as a guidance section which includes a small section on why this requirement is relevant and helps with the context.
If you do go with the option of throwing money at the problem and hiring a PCI DSS compliance expert to help you assess your plans then I strongly recommend hiring from a company that is qualified to do PCI audits.
In any case before starting to handle production data you will need to have an initial PCI DSS audit against your environment and then get re-audited annually by a qualified security assessor thereafter.
A little bit about the PCI DSS requirements themselves. They are divided into 6 sections to make sure all attack vectors are covered.²
The sections are:
Build and maintain a secure network and systems – this section covers requirements related to the networks where your PCI environment is hosted. Requirements range from having to have a formal network ACL change process in place, separating your PCI networks from the rest of your environments and applying good security practices on your network devices.
Protect cardholder data – requirements regarding encrypting cardholder data at rest as well as during transmit
Maintain a vulnerability management program – requirements around patching your systems, having antivirus in place, having change management process in place, doing code reviews etc.
Implement strong access control measures – mostly self explanatory, all users with any kind of access to PCI environment should have unique usernames, multi factor authentication, password changes should be forced etc.
Regularly monitor and test networks – requirements around conducting penetration tests, having intrusion system detections in place, reviewing for anomalies in logs etc.
Maintain an information security policy – your company should have a security policy that is known and followed and engineers attest at least annually that they understand and are aware
For an engineer, for the most part, the requirements are not surprising, make perfect sense and in many cases are already practiced with or without PCI DSS. For example it does make sense that each engineer with access to any production environment has a unique account. It also makes sense that applications, firewalls, systems are logging what's happening on them, including input from users with access. It also makes perfect sense that if you take the effort to encrypt traffic or data then you should make sure your chosen method is actually deemed secure by industry experts.
Then there are quite a few requirements that strongly encourage automation – requirements around patching and around intrusion detection are perfect candidates to be solved with help of automation.
On the other hand there are several requirements which are hard if not impossible to automate and thus create overhead for PCI environment involved teams, for example:
Overall though, achieving PCI DSS compliance should be doable regardless of the technology stack you use. It can all be done on Windows server based environments, Linux based environments involving both private cloud / public cloud as well as bare metal servers or even a hybrid combination.
If your business operates internationally, you’re most likely to deal with payments in different currencies and have to convert between them from time to time. This is where you could employ a reliable and cost effective partner to take care of your currency exchanges. One very obvious detail that you need to consider when looking for a partner is their exchange rate as a lot of companies set their own rates to cover the conversion cost and/or earn profit from the transaction. This often means 3 - 6% additional cost to you.
The good news is that there are services like Wise that offer real exchange rates with no mark-up for a small and transparent fee that is up to 14x cheaper than PayPal.
Here are some benefits you can take advantage of using Wise Business:
With these benefits, you could save 3 - 4% on conversion charges alone which means more profit for your business.
Sources:
*Please see terms of use and product availability for your region or visit Wise fees and pricing for the most up to date pricing and fee information.
This publication is provided for general information purposes and does not constitute legal, tax or other professional advice from Wise Payments Limited or its subsidiaries and its affiliates, and it is not intended as a substitute for obtaining advice from a financial advisor or any other professional.
We make no representations, warranties or guarantees, whether expressed or implied, that the content in the publication is accurate, complete or up to date.
According to a recent industry report, customers who receive instant money transfers have a 6% higher retention rate compared to those waiting over 48 hours...
Understand payment processing fees in the UK. Explore types, costs, and how to choose the best payment solutions for your business.
Read our comprehensive guide to the best business payment services in the UK, including Stripe, Square, GoCardless, Zettle, Braintree and Worldpay.
Get a complete overview of Shopify payment processing fees. Learn about costs, options, and tips to manage fees and optimise your profitability
Explore best practices in dunning management to reduce payment failures, improve cash flow, and retain customers with effective communication strategies.
Read our helpful guide to subscription payment gateway services in the UK, including how they work and a list of popular UK providers.