Chris Lippi | VP, Products
August 03, 2012

Beware: ‘PCI-Ready’ Is Not PCI Compliance

 

There aren’t many issues left that we can see in terms of black and white. Everything has nuance—there are shades and complexities, levels of acceptance, and so on. Here’s an exception. If you handle credit card data, your product or service is either PCI-compliant, or it’s not. Period.

I know this isn’t a fun topic. You want to focus on launching a commerce API but instead you spend time on figuring out how to comply with a long list of confusing rules. It’s a hassle and an obstacle. But it’s also vital. Let’s get the legal stuff out of the way. The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements created to ensure that every company that processes, stores or transmits credit card information has in place a secure environment.

These rules apply to any merchant or service provider, regardless of size, that does business involving cardholder data. I mention this lack of nuance now after talking to folks in the API business and watching vendors in our space use terms like “PCI-Ready.” I’ve been in this business for quite a while but I actually have no idea what it means to be “PCI-Ready.” (Is it that the software isn’t full of security holes an auditor will flag?)

Actually, much of PCI-DSS is about process: Have you installed an operational, engineering and network engineering process that complies with the standard? “Ready” is absolutely not the same as compliant—in fact, it’s a misleading tactic to make it sound like it’ll be easy. “PCI-Ready” is even more dubious when the vendor is hosting the solution for you, as it indicates that the sales and marketing group has taken over.

Here’s the reality: If you install a vendor’s product in your or your sub-contractor’s data center and it processes credit card data in the clear, it is in the scope of your audit. Period. If you hire a vendor to host their product in their or their sub-contractor’s data center, even if that data center is compliant, they are in the scope of your audit. Period. As a SaaS provider, Mashery is different. As a PCI-DSS compliant service provider, our customers get our Report on Compliance (ROC) and their auditors accept it and move on.

There is no scope increase to their audit activities—nothing vague about it. I wonder how many merchants beyond those I canvassed are now suffering because they didn’t understand the details. For the record, this can involve a serious, and unexpected, reallocation of resources, not to mention critical delays. And since launching without compliance is out of the question, these merchants are caught between a ROC and a hard place.

We always knew that eCommerce would be important in the API business, and thus PCI compliance would be a key factor in helping our customers drive successful programs. Back in 2010, we started educating ourselves on every nuance in the process. We worked on our software, we worked on process, and we worked on our operational posture for a long time. Late in the year, we even brought in a very capable team of ‘white hat’ consultants to test us. We continued to update our service to ensure we were ready for the final test. We were.

Last year, after the usual thorough audit, Mashery became the first API management company to achieve PCI-DSS service provider compliance certification. A month ago, thanks to a long wait time, we were finally included in the official MasterCard PCI Compliance Service Providers list. (We also expect to be on Visa’s list soon.) As a service provider, our API management offerings are fully PCI-compliant.

Your compliance team won't have to add weeks or months to your API release schedule because it hasn’t been audited; we’ve done the work, so you don’t have to. Of course, this is not a static process. Like every other compliant company, we will be audited again this month for our annual update. It’s on ongoing process where you need to put secure coding practices in place, add time to your release cycles, make sure any hosting partners you use are compliant and so on. We continue to invest so our customers don’t need to worry about this aspect of their own compliance.

Again, I know this is not what companies want to be thinking about when launching new online businesses. Merchants want to focus instead on building transaction capabilities into every potential customer touch point and moving quickly to address new opportunities. That’s why we provide a SaaS API Management platform that is PCI-DSS compliant, offering the best time to market for your commerce APIs, allowing you to focus on getting your innovations out the door. We’ve done the work, we continue to invest, and we offer you one less thing to worry about.