Tackling the Complexity of Certifications
One word has been at the tip of our beaks lately: Certification. If you work in or accept payments, you likely talk about this word a lot, too; in fact, there’s little to no chance you could avoid this word and the work associated with it even if you tried. The most familiar certification in the payments realm is likely to be the Payment Card Industry Data Security Standard (PCI DSS), which includes a set of standards businesses must keep up with from year to year to ensure the security of payments data.
In our certification process this year, we’ve taken on the complexity of being an early adopter of new security standards (PCI 4.0). Doing so allows us to reduce workloads for our customers and partners and ensure we have the policies and procedures in place to protect their sensitive data. And if that’s not enough to demonstrate our commitment to data security, we’ve also taken on the responsibility of being one of the first direct integrators with Discover’s new global network tokenization platform. By being the first to take on these new standards and integrations, we have the opportunity to learn from experience and share those lessons with all of you!
PCI DSS 4.0
The PCI DSS certification came to be in 2004 when many well known card networks banded together to create a set of security standards meant to protect credit and debit card transactions against data theft and fraud. Those standards are still in place to this day and governed by a security standards council (PCI SSC). Starting next year, many new requirements will go into effect with the shift from PCI 3.2.1 to 4.0 standards.
We opted to complete our 2023 audit for PCI DSS Level 1 certification on the 4.0 requirements, even though they don’t formally go into effect until 2024. As an early adopter, we have been learning about the new standards alongside our auditor as we completed its notably more robust process. And when we say robust, we mean it; the full list of changes from 3.2.1 to 4.0 is 36 pages. Those changes introduce language simplification, greater granularity and specificity within requirements, as well as new, clearer categories, requirements, and accountability structures. In practical terms, this meant we had a lot of work to do.
Here’s what we learned as we went:
Making all the required updates to our policy and procedure documentation to account for the changes in requirement numbers—plus the addition of new language and requirements—took a great deal of time. If you’re doing this on your own, allocate 3x the time you think you’ll need for that work at a minimum.
Managing the processes and procedures necessary to stay compliant does get easier as you go, but they’re ongoing and require dedicated attention. Make sure you’re keeping detailed receipts for everything you’re required to do on a recurring basis, and centralize that information for easy access during the audit process.
Be sure to plan accordingly for any engineering work necessary to implement changes to requirements and/or new standards such as:
Increased password length (from 8 to 12)
Requiring MFA for all access to the CDE (including hosted servers and endpoints)
Use of keyed cryptographic hashes for unreadable PANs
Some requirements aren’t fully in effect until 2025, so you can delay implementation of those or stagger your approach to make the transition to 4.0 more manageable.
Find a good compliance partner and auditor. Ben at SecurityMetrics has been clear and helpful when explaining requirements and expectations over the past few years, and we are grateful for his support!
As a service provider, Level 1 PCI DSS certification is essential. Securing that early on has allowed us to build relationships and direct integrations with Visa, Mastercard, Amex, and Discover so you can tokenize your customers’ cards with Toucan and then keep that information up-to-date with Loon.
Another Key Network for our Nest: Discover
The most reliable data we can give you comes straight from the source—or in our case, straight from the card brands. As such, we've worked tirelessly to go through the certification process for each network. Then, through a single integration with Pagos, you have access to the best data available directly from Visa, Mastercard, Amex, and now Discover, all without any maintenance work required on your part.
We were second to integrate overall and the first to integrate with Discover as a service provider for global network tokenization. This is an exciting opportunity to partner with them and help validate the effectiveness of their platform. We took on the hard work to make getting up and running—in compliance with industry standards, of course—as quick as possible for you. Plus, one integration with Toucan by Pagos gives you access to network tokenization for Discover, Mastercard, Visa, and more to come!
Maintaining security standards and certifications is a collaborative effort: technology, product, and community/people team members at Pagos all contribute to meeting these requirements, and everyone plays a role in adhering to secure practices. We’re all putting in the work of navigating complexity so you don’t have to. And there’s more work on certifications to come!