As organisations evaluate their operations in the wake of COVID-19 restrictions and evolving organisational, customer and technology priorities, keeping payment compliance top of mind is critical. Ensuring your payment solutions are compliant is a demanding job, requiring regular reporting, comprehensive audits, and skilled, knowledgeable staff.
The security of cardholder data is paramount. To protect payment information, organisations must either install software onsite and maintain their own PCI-DSS compliance, or partner with a Software as a Service (SaaS) vendor or application service provider who ensures their software meets PCI DSS requirements.
Payment security standards: PCI-DSS and PA-DSS explained
Payment processing applications are governed primarily by the Payment Card Industry Security Standards Council, which maintains security policies and procedures based on requirements from major payment brands like VISA, Mastercard and American Express.
“These standards – known as PCI-DSS (Payment Card Industry – Data Security Standards) look at the security of environments that store, process or transmit payment account data,” says Alan Smith, Director of Operations at Nelnet International. “This includes standards for security management, policies and procedures, network architecture, software design, security awareness training, logging, reporting and other critical protective measures.”
The PCI-DSS also relates to the Payment Application-Data Security Standard (PA-DSS), a set of requirements that payment applications must meet to be part of the PCI-DSS compliance. PA-DSS requirements help software vendors develop secure payment applications that support a company’s PCI-DSS compliance when that software is installed.
PA-DSS validated software must meet PCI DSS standards relating to:
- Having a process for securely deleting stored cardholder data
- Offering configuring and patching systems that meet requirements
- Having approved file integrity management, anti-virus and audit logging approaches on the systems that support the software
PA-DSS validated payment software requires a significant ongoing compliance effort
“When a business buys a PA-DSS validated product, they receive a software application. Importantly, the responsibility for infrastructure to support that application, the installation of the application in a PCI-DSS compliant manner, and the ongoing maintenance and administration of the application sits with that organisation,” explains Alan. “It’s a lot of work for an in-house IT team.”
Compliance requirements vary depending on the number of transactions an organisation processes each year. A smaller business may be able to complete a self-assessment questionnaire to assess the security of their cardholder data; companies that process high transaction volumes may need to work with a PCI qualified security assessor (QSA) to complete a more detailed assessment.
“A PCI QSA can take two or three months to confirm an organisation is meeting its compliance requirements. A QSA will ask for evidence, interview employees, and undertake a hands-on review of devices, files and procedures to ensure your business meets all PCI-DSS requirements,” says Alan.
“Most people are unaware that many non-technical requirements are evaluated, including hiring practices, security awareness training, roles and responsibilities, maintaining and testing incident response, and the creation of policies, standards and processes to support the intent of the PCI-DSS standards.
“Technical requirements include periodic reviews of firewalls and routers, file integrity monitoring, anti-virus and malware protection, backup and restoration validation, logging activities, adherence to retention requirements, timely patching of devices, operating systems and applications, and vulnerability management, including internal and external quarterly scans and annual penetration tests.”
A hosted solution relieves the burden of PCI-DSS compliance
Organisations with vendor-hosted solutions or SaaS software have far fewer compliance requirements as their service provider is responsible for ensuring that the hosted environment is secure.
“When a business uses a PCI-DSS validated solution like Xetta, they have peace of mind that their payment solution meets the PCI standards,” says Alan.
With Xetta as the hosted solution, Nelnet International is a level 1 PCI-DSS service provider, which means that:
- A PCI-DSS assessment is completed annually by an external PCI qualified security assessor.
- We have a vulnerability management process in place that includes regular scans and penetration testing, and timely patching based on risk
- The Xetta application is developed, installed, configured, and maintained to meet or exceed PCI-DSS requirements
- Security appliances are in place and monitored, and engineering staff are alerted of any anomalies
- Incident response, disaster recovery and business continuity plans are in place, tested and validated
“PCI compliance is embedded into our BAU processes,” explains Alan. We monitor security controls, review our hardware and software to ensure they meet standards, evaluate changes to the environment or our organisational structure, and perform periodic reviews to confirm all PCI-DSS requirements are in place. Our people follow secure processes, and we ensure that appropriate evidence is maintained for PCI-DSS compliance assessment.
“Xetta’s cybersecurity team also works closely with the compliance and security experts at our parent company Nelnet, Inc. We do all this to give our customers assurance that we’re serious about data protection and providing payment solution that sets the benchmark when it comes to PCI-DSS compliance.”