PCI DSS Compliance

Maxim Yaskevich

  • Business banking

PCI DSS stands for Payment Card Industry Data Security Standard. PCI DSS is a globally implemented information security standard impacting all stakeholders who participate in the card payments process. It was developed to protect cardholder data and payment account data at every stage of the card payment lifecycle. The Standard has 6 overarching goals:

  • Build and maintain a secure network.
  • Protect cardholder data.
  • Maintain a vulnerability management program.
  • Implement strong access control measures.
  • Regularly monitor and test networks.
  • Maintain an information security policy.

Being compliant with PCI DSS is mandatory for all entities processing, storing or transmitting cardholder data. Major industry players including the card programmes - Mastercard and Visa - expect or require their service providers to be PCI DSS compliant.

Intergiro and PCI DSS Compliance

Intergiro launched into the business banking landscape in August 2018 with its flagship business account, offering simple business banking to corporate users without the hassle of visiting a branch and waiting weeks to get started. This provided a smooth entry for us into a market that was rapidly becoming flooded with many newcomers. By focussing initially on corporate customers (as opposed to individuals), we have been able to establish a stable infrastructure and core banking platform in preparing for the future.

With the foundation in place, the next frontier was Card issuing. Executing transactions for corporate users normally requires the use of a card. The objective for Intergiro is to own the full regulatory and compliance stacks, so outsourcing this part was never on the table. The goal of becoming a Card Issuer meant that we had to achieve PCI DSS certification as a Level 1 Service Provider. 

In mid-2019, we dived into our PCI DSS implementation project. After facing many challenges and frustrations, we came through the final audit, 9 months later, with great success and bearing the coveted Level 1 Service Provider certification. The team still carries the scars from that - we’d happily share war stories with you.

Our Integrate product now extends our investment in Card issuing to our Banking-as-a-Service (BaaS) customers. Using our API-based cards programme, customers can offer cards and accounts to their end customer users without going through the same pain as we did to certify as a PCI DSS Level 1 Service Provider. While we remove this primary compliance requirement, the PCI burden is not lifted entirely. Our Integrate customers are still required to carry a certain measure of PCI responsibility.

Achieving PCI compliance for your business

Hopefully, after reading this article, you will understand a bit. The harsh truth is that getting PCI DSS compliance certification is not a quick and easy process. However, the good news is that Intergiro can help you with compliant solutions.

Our engineering teams have been hard at work, creating technical solutions that limit the impact of PCI DSS on you as a customer through the creation of our PCI-less technology. We guide our customers through the whole process alongside you, performing a review of your PCI DSS compliance requirements and working out the best way for you to achieve this while keeping the burden as light as possible.

Completing a PCI DSS SAQ D

As part of your obligation under PCI DSS, you will be required to complete a Self-Assessment Questionnaire. The type of questionnaire you will need varies depending on which type of industry you are operating and the specific card or payment services you provide. SAQ D is the most exhaustive Self-Assessment Questionnaire for PCI DSS. SAQ D is a requirement for all companies who are not service providers, but participate in the card-issuing process through the handling and processing of Cardholder Data (CHD) and Secure Authentication Data (SAD).  This avoids having to undergo an audit and submit a  PCI DSS Report on Compliance (ROC),  but it is more comprehensive than other options such as SAQ A and SAQ B, which are aimed at card acquiring merchants. 

Intergiro will help you to assess your requirements and the wealth of experience, as well as the battle scars carried by our team means we are at hand to assist each step of the way by removing many of the unknown factors. PCI DSS compliance can be complex, challenging and costly, and potentially a showstopper for businesses wanting to enter the card game. Partnering with Intergiro means that you are not alone in facing this and we are committed to ease the process and lighten the burden as much as possible.