By Michael Kalac, Chief Information Security Officer, Paymentus
The PCI Data Security Standard (PCI DSS) is a global standard that provides a baseline of technical and operational requirements designated to protect payment data. Recently, PCI DSS v3.2.1 was retired in favor of PCI DSS v4.0, which was officially implemented in Q1 of 2024.
PCI DSS v4 was enacted to meet four essential goals:
- Continue to meet the ongoing security needs of the payment industry
- Promote security as an ongoing process
- Add flexibility for different methodologies (i.e., can no longer be a “one-size-fits-all” compliance)
- Enhance validation methods
The Requirements of PCI Compliance
PCI regulatory structures are in place to safeguard all parties within a card transaction. Consumers, billers and card issuers alike benefit from these strict standards. However, the effort of achieving and maintaining PCI certification can be a big lift for any company whose business is not processing credit card payments. Billers can reduce the scope of their PCI exposure by engaging a 3rd party payments provider, such as Paymentus, to handle the lion's share of those operations.
While maintaining those operations (and regulatory requirements) in-house is an option, it is far from ideal. The costs associated with maintaining compliance in that scenario make it untenable for most organizations. Proper maintenance relies on a team of dedicated, specialized experts whose skill sets are not easily replaced. If your organization is considered Level 1 (processes more than six million card transactions annually), you would also be required to engage a third-party auditor known as a Qualified Security Assessor (QSA) to conduct the required annual audit, the cost of which generally starts around $40,000.
An added factor is remediation should an issue arise. Aside from the cost and resources involved in remediating surfaced audit issues, billers operating payments in-house risk being cut off from the major card networks if issues are not resolved in a timely manner.
Reducing PCI Scope for Billers
Paymentus prides itself on working in close collaboration with our clients and delivering the solution that best meets their needs and expectations. Through implementation of the Paymentus solution, a biller can significantly reduce the scope of their PCI responsibilities.
Paymentus is a Level 1 PCI certified service provider, which requires meeting the 12 PCI DSS Control requirements.
Paymentus maintains an information security program that is designed to protect Paymentus resources from internal and external security threats, loss and unauthorized disclosure. Our specialized security program is focused on managing and building effective security controls, quickly detecting and responding to incidents, and constantly testing the effectiveness of the program to appropriately manage risk.
Our program is built from the understanding that our entire environment is PCI relevant – leaving no area unprotected or out of PCI scope. Clients can enjoy the peace of mind in knowing they are receiving the highest levels of protection as a standard part of their relationship with Paymentus.
Considerations for choosing a service provider
Properly vetting prospective billing and payment solution partners should begin with a deep understanding of their end-to-end compliance capabilities. But the most important area of focus should be the third-party attestation offered by a QSA. This will provide the objective information necessary to determine whether a provider is built to maximize your organization’s data security.
One last key item is to evaluate the security team and its structure. Proper leadership and dedicated team members are essential in combating today’s expanding threat environment. With the solution provider assuming much of the responsibility for PCI compliance, billers will be able to rely heavily on this team for security support and ongoing maintenance.
Want to learn more about how Paymentus can securely deliver a best-in-class billing and payment experience to your organization? Contact us today to speak with a security expert or request an exclusive 15-minute demo.