A silver widget for PCI DSS compliance

On the list of risks that can derail a healthy company, data breaches loom large. The consequences of a data breach involving sensitive customer information can be severe. Organizations that fall victim sometimes never fully recover from the impact on their sales, stock price, and reputation.

To decrease this risk, the payment industry follows a set of security best practices that are codified as The Payment Card Industry Data Security Standard (PCI DSS). A major, proactive step to protect cardholders and provide clear guidelines to businesses, the standard includes several levels of compliance depending on the volume of transactions processed per year. Enforced by the card networks, penalties for noncompliance with the standard range from $5,000 to $100,000 per month.

Faced with dire consequences, stiff penalties, and aggressive cyber attackers, participants in the payment card ecosystem have ample incentives to comply with the industry standard. But while the desire for compliance may be strong, organizations are finding it increasingly hard to meet PCI DSS requirements. As Verizon’s new 2020 Payment Security Report shows, PCI DSS compliance is falling. According to the report, only 27.9% of organizations achieved 100% compliance in 2019.

What is needed is the proverbial silver bullet that would allow any card program to meet complex security requirements.

The hazard of PCI DSS compliance efforts

The PCI DSS standard includes 12 mandates that range from implementing and maintaining a firewall to restricting physical access to cardholder data and running frequent security system and processes tests. While the mandates are straightforward, designing, implementing, and maintaining robust and resilient control environments can get very complex, especially for large organizations. Without a detailed execution plan, full compliance is nearly impossible to achieve.

“Poor performance on compliance assessments isn’t a spontaneous act; rather, it’s the outcome of a sequence of activities and events based on strategic planning — or lack thereof,” authors of the Verizon report observed.

Having a plan is critical, but even the most comprehensive plan can be inconsistently executed. Compliance requires motivated leadership to coordinate multiple security layers — working together in control systems that together make up the control environment — on an ongoing basis. Systems must be monitored 24/7 to ensure they are meeting their objectives. Meanwhile, the ever-changing nature of security threats means controls need to be continuously tested for effectiveness. This can require participation from across the business and take employees away from their day-to-day responsibilities. Capabilities and processes must be developed over time, requiring sustained executive commitment.

“The typical organization is not prepared to manage the countless areas that need to be controlled across a payment IT infrastructure,” Dennis Keglovits, vice president of IRM Services, Lockpath, writes in Corporate Compliance Insights. The Verizon report points out that the average tenure of a chief information security officer is two years or less.

While PCI DSS is typically thought of as applying to merchants who accept payment cards, all entities that store, process, and transmit cardholder data (CHD) or sensitive authentication must comply. For companies that seek to incorporate cards into innovative payment solutions, requirements for PCI DSS compliance can pose a real obstacle.

Widgets offer bulletproof compliance

Fortunately, Marqeta has a solution that enables companies with card programs to meet complex security requirements and protect cardholder data. Marqeta’s PCI-compliant widgets allow organizations to securely embed and display sensitive card data using an iframe. Program admins can activate cards and manage the card lifecycle without storing, processing, or transmitting sensitive data.

In this way, PCI-compliant widgets act as a silver bullet for PCI compliance and a way to avoid both network penalties and data breaches that can compromise cardholder information. “Using proven, off-the-shelf solutions allows you to protect cardholder data and maintain compliance with regulations while allowing you to focus on your business,” said James Moschou, senior product manager, developer tooling, at Marqeta.

Marqeta’s widgets work with cards that are not issued by Marqeta and allow you to create push-to-card disbursements. While investing in homegrown PCI compliance is a must for some companies, others will benefit from using alternative solutions— like PCI-compliant widgets — that offer security as an ongoing service.