TL; DR: Meeting all 12 requirements of the Payment Card Industry Data Security (PCI DSS) Standard is a pivotal step in any business, let alone a payment gateway. Julián Arenas has worked with payment gateways for quite some time, and his expertise guides us through what project managers, developers, and stakeholders should consider when complying with PCI DSS standards.
As a developer at Blankfactor, one of the most fascinating projects in which I’ve worked is the development of a payment gateway and meeting all the technical and documentation requirements established by credit card companies and international organizations. I’ve handled everything relating to Payment Card Industry Data Security Standard (PCI DSS), which is why I’d like to go in-depth into every single item, its importance, and how to ensure your gateway complies successfully.
Rising global security concerns
Despite the supply chain issues, economic uncertainty, and geopolitical instability the world has witnessed in the past years, a PwC survey on Economic Crime and Fraud states that fraud and corruption rates haven’t shown any increase since 2018.
However, when it comes to the tech sector, the story is a little different. The same report indicates that, in the past two years, 52% of technology, media, and telecommunications companies with over US$10 billion in revenue have experienced some sort of fraud. Cybercrime, customer fraud, and asset misappropriation pose the greatest risks to companies.
Even though the impact of organized crime rings rose in the past 24 months, most organizations responding to the survey indicated they were already strengthening their capabilities to detect fraud. However, companies must also learn to strike a proper balance between creating a great customer experience and detecting fraud on time. Therefore, it’s important to create centralized systems that can easily track the life cycle of users.
What are payment gateways?
Blankfactor has previously talked about payment gateways and how they work. In short, gateways are a front-end and back-end technology that approves payments (either credit card or debit) for online stores and e-commerces but can also be used in traditional brick-and-mortar businesses. Think of payment gateways as the online version of a card reader. They act as facilitators and help process information during checkout.
Payment gateways are very different from payment processors, which is a system that enables financial transactions. You need both of them to accept payments and run your business successfully. Consider the gateway as the start and finish line and the processor as the road itself. Once the customer purchases an item, their information goes through a payment gateway, which is encrypted for security purposes. Then, the payment processor contacts the banks and checks if the person has enough money to make the purchase.
Creating a payment gateway involves establishing the proper security controls and protocols to ensure user data and resources are safe. One of the most important ones is the Payment Industry Data Security Standard (PCI DSS) Compliance, a set of rules and regulations implemented by major card schemes.
One step at a time
Security standards establish a baseline over what security measures you should implement and enforce. Regardless of the size of your business, this standard is mandated by those handling cardholder data, such as credit card companies, and must be renewed every year. The PCI DSS standard establishes 12 operational and technical requirements to secure and protect card data. Let’s go over every one of them:
Installing and maintaining a firewall configuration to protect cardholder data.
This goes beyond simply installing a firewall for your gateway. Regarding networking, you have to stay up-to-date with the rules, create reports, and periodically check for new updates. There are many ways to comply with this requirement because a firewall is a concept with different implementations. For example, if you own several servers, you can install firewall measures. However, when using cloud services, you can set routing rules in closed networks to help distinguish the type of traffic coming to your website.
Finally, you have to be clear on how to install your firewall, how often your team can check up on the firewall, and so on.
Don’t use vendor-supplied defaults for system passwords and other security parameters
Most international security standards talk about how you should perform hardening, which works to reduce vulnerabilities in your system. One of the most important hardening concepts is not using default security parameters. Default security parameters enable potential attackers easy access your system. If your business uses a database server and leaves the default port configurations, this will help the attacker find any faults in your system. For example, leaving a port in a default number makes it easier for attackers to find exploits.
Protect stored cardholder data
This refers to encryption, specifically when you store cardholder data. Depending on your business needs, you need to consider storing user data and the security measures you need to implement. When you store data, you need to encrypt it and perform several audits to determine access to the user databases and the terms.
Encrypt transmission of cardholder data across open, public networks
When it comes to data encryption, you can be as rigorous as you want. You can apply HTTPS protocols to ensure information is dispatched over secure channels or even use private sub-networks to protect stored data. When you have any point of exit for user cardholder information, transmission channels are also required to meet safety standards.
Use and regularly update anti-virus software or programs.
This point may seem self-explanatory, but let me provide more context. Hardening your system’s security also includes installing new patches and updates, thus keeping user data safe. An example is a container revision system that evaluates risks and vulnerabilities for every new deployment.
Develop and maintain secure systems and applications
Some of the requirements are more related to documentation, and this one is an excellent example. Businesses need to create a document that indicates the security measures developers should use when creating the product, what the most important security milestones within the development cycle are, and what a security pipeline looks like for that specific project.
Restrict access to cardholder data by businesses need to know
Documentation for PCI should include who the stakeholders are within the security pipeline and who’s responsible for each step or concern. This of requirements six and seven as part of a manual that guides your business in terms of security. Such a requirement helps you define the protocol for any individual that requires access to the data.
Assign a unique ID to each person with computer access
Unique users are necessary to understand trailing properly, what actions did users perform, and over what resources. This requirement is slightly more complicated than it seems and involves the creation of password policies, installing multi-factor authentication, and other tools to ensure every single password complies with security standards.
Restrict physical access to cardholder data
Curiously, Blankfactor hasn’t implemented this requirement because it applies specifically to physical servers (on-premise services). PCI DSS provides specific guidelines and recommendations as to how to handle access and security with on-premise services. There are some security measures that you should put in place for such scenarios: access cards, cameras, and other sorts of physical trails.
As I mentioned, however, we commonly create payment gateways using cloud-only services.
Track and monitor all access to network resources and cardholder data
Every single business should keep careful control of who accesses the cardholder database and under what circumstances. Aside from having the necessary documentation, PCI also requires companies to monitor stakeholder activity at all times. We’re dealing with very sensitive information, and database access and management should be controlled closely for greater safety.
Whenever cyberattackers breach a system, they try to erase any indicators that prove their presence. When an attack, keeping a log can indicate who the last person was to access the database.
Regularly test security systems and processes
We need to check that the security controls work appropriately. That’s why we run periodic tests to check that security protocols work and that every role within the pipeline successfully executes allotted tasks.
Maintain a policy that addresses information security for all personnel
The final requirement states that every PCI-compliant business should provide thorough documentation for every single requirement, thus ensuring auditors, users, and developers that there’s enough information on how to handle every possible case scenario.
This information can help you understand why it’s so difficult to create and maintain these types of services. Every business needing a secure and reliable payment gateway should seek help from expert companies. If you have any further questions about these topics, do not hesitate to contact us and check out our payments services.