PCI Compliance: Getting Credit from Visa and MasterCard
We got a nice little note in our inbox recently. It was from Visa, but it had nothing to do with our credit limit (eye-rolls and drum kicks appropriate).
“Congratulations on validating compliance with the Payment Card Industry Data Security Standard,” it said. “The Visa Global Registry of Service Providers - PCI DSS Validated Entities. . . acknowledges service providers that have shown their commitment to security by meeting the requirements of the PCI Standard. We appreciate your continued support and commitment to safeguarding the payment industry.”
I mentioned over the summer that we were headed into our 2012 annual audit and had finally been listed on the MasterCard PCI Compliance Service Providers List and with this note, we are now finally listed on Visa’s. This was timed with our receipt of our 2012 report card, and it tells us we successfully completed our annual re-audit. This shouldn’t be a big deal, but for several reasons, it absolutely is.
First, and without ambiguity, we’re not just the only API management services provider to achieve and offer our clients PCI compliance, we’ve now done it for the second time (compliance has to be re-certified every 12 months).
Moreover, the second round of certification is more difficult than the first—the tests are harder, the scrutiny more stringent. We’re fine with that. We went through the audit cycles and did the remediation work necessary, because we know security is not a static issue. New threats are always emerging, and changes are needed not just to keep pace but to stay ahead.
But perhaps most importantly, it’s a big deal because we know that this makes our customers’ lives easier.
It’s easy enough to say that PCI-DSS Level 1 represents the highest level of security in handling payment information, and can only be achieved through a rigorous third-party audit. More specifically, it means that at Mashery, our development, computing and data environments meet numerous standards for secure operations management. This includes regular security scans, monitoring and alerts to protect against attacks, strict change control, extensive code reviews and a robust incident response. It also features secure software design, including training our engineers in OWASP.
To those outside the API or security worlds, this is IT jargon. But to those actually charged with the responsibility of getting critical commerce applications up and running, it’s a huge obstacle that, because of our certification, takes some of the pain away.
In this vein, we were struck by what we heard from our friend and customer, Jeffrey Schaubschlager, Sr. Product Manager, Open APIs & Emerging Platforms, at Best Buy. At the recent BAPI conference in San Francisco, he said right at the beginning of his presentation that APIs are now “table stakes, period.” With so many devices, form factors and applications coming down the pike, he noted, companies have to get out of the prediction business and build a platform that can handle every kind of application while still generating the data needed to support the business. He laid out the steps involved in getting things done—making such as fundamental change is difficult—and one critical aspect is speed: “You need to do it as soon as possible.” There are typically many kinds of internal resistance that have to be overcome, and external obstacles such as compliance restrictions can torpedo the entire project.
Those development engineers mentioned earlier don’t want to worry about PCI-DSS; they need to place their emphasis on tasks such as building new transaction capabilities and offering new functionality. With PCI-DSS compliance, the Mashery SaaS API Management platform removes a major hurdle and offers the best time to market.
That’s not just good technology, it’s good business.