PCI Compliant: Do your APIs need a PCI DSS certification? (and how this can help with LGPD and Open Banking)

05What is a PCI DSS certification?PCI DSS (Payment Card Industry - Data Security Standard) is a high level security standard for the entire ecosystem of companies that record or process credit and debit card data - covering everything from electronic devices to applications and infrastructures.

This standard was established by the PCI Security Standards Council (PCI SSC), formed by the major card brands, to make the electronic payments ecosystem more secure and ensure customer compliance and trust.

2305

Do my APIs need to be PCI compliant?

Any company that accepts credit/debit card payments, by processing or storing data from these cards, is indicated to have a PCI DSS certification. This scenario is increasingly common, especially for companies involved in sectors such as Retail, Financial Services and technology providers.

In the event that your APIs carry any information related to payment cards, then it is very important that you and the technical partners involved in supporting these APIs meet the requirements and have a PCI certification.

Why is a PCI certification so important?‍

People increasingly use credit and debit cards (physical or virtual) instead of cash to make payments. These electronic media promote ease of use not only for consumers, but also for criminals.

Using simple-to-use exploit kits, hackers from all around the world exploit vulnerabilities in systems and perform crimes on a large scale, causing enormous damage and becoming a major risk to businesses. This risk involves not only external vulnerabilities, but also threats of internal origin.If data leakage occurs, it can lead to serious consequences such as: penalties, fines, loss of customer trust and future sales, additional compliance costs, ban on processing payments with the cards, and even bankruptcy.

‍According to the 2019 Cost of a Data Breach report, data leaks in 2019 generated an average cost of $3.92 million each for companies.Without a PCI certification, companies are unable to close deals with many companies in the payment ecosystem. Obtaining a PCI certification means that key data security practices are being applied.

‍Therefore, having a PCI certification and PCI compliant partners can bring benefits such as

• Higher level of data security
• Differentiated qualities in relation to Competitors
• ReductionofRisks
• Increase in consumer confidence
• Ease of becoming a supplier to large companies that handle card payments
• Being ahead of others and shortening the preparation for privacy regulations like GDPR, LGPD and even Open Banking.

What does a PCI certification require?‍

PCI recommends good information security practices and provides a clear methodology of what must be achieved.

The PCI certification seeks to achieve 6 objectives, and, for this, 12 requirements have been defined, which are verified by a series of test and compliance procedures, being confirmed by an entity authorized to carry out the certification:

Objective 1 –To build and maintain network and system security

1. Installing and maintaining a firewall configuration to protect cardholder data
2. Not usingsupplier provided standards for system passwords and other security parameters

Objective 2 –To protect cardholder data

1. Protecting the card holder's stored data

1. Encrypting the transmission of cardholder data over open and public networks

Objective 3 –To maintain a vulnerability management program

1. Protecting all systems from malware and regularly updating antivirus programs or software

1. Developing and maintaining secure systems and applications

Objective 4 –To implement strict access control measures

1. Restricting access to cardholder data according to the need for knowledge for the business

1. Identifying and authenticating access to system components

1. Restricting physical access to cardholder data

Objective 5 – To monitor and test networks regularly

1. Tracking and monitoring all accesses regarding the network resources and cardholder data

1. Regularly testing security systems and processes

Objective 6 – To maintain an information security policy

1. Maintaining a policy that addresses information security for all teams

These test procedures are related to 4 security levels (level 1 is the highest) according mainly to the volume of transactions:

And what does a PCI certification has to do with GDPR and LGPD? Can it be helpful?

"People come to me and ask, 'How can I become GDPR compliant?'...

I say:“Start with PCI DSS." - Jeremy King, director of PCI SSC‍

The General Data Protection Regulation (GDPR) entered into force in the European Union in 2018 and applies to all companies that store or process data that identifies European citizens, providing a range of rights to ensure the ownership, purpose, consent, transparency and privacy of individuals about their data.

Similar regulations are being developed by several countries. In Brazil, the national congress is defining the application of a regulation similar to the GDPR (the LGPD - Lei Geral de Proteção de Dados) in August/2020.

All companies operating in the European Economic Area, regardless of their country of origin, are subject to fines of up to 4% of overall turnover or 20 million euros - whichever is greater - and even suspension of activities with the EU.

Compliance with these regulations poses technical and business challenges for companies, which need to protect itself from threats and seize the opportunities that arise. However, even if they make citizens' rights explicit, these regulations do not provide a clear guide on how to comply.

Although the scope of PCI data protection is smaller (payment card data), the latter is contained in the scope of LGPD and GDPR personal data. In addition, the PCI certification process provides a defined methodology for your company to gain the ability to map and protect sensitive data during processing, transmission and storage.

Being PCI compliant indicates that your company is aware of the ultimate data protection practices, and is ahead of the competition regarding adaptation to GDPR and LGPD.

Open Banking

‍Central banks in several countries are developing regulations similar to the European Union's PSD2, by requiring banks to make banking data and payment services open through APIs in order for those to be used by third party companies that have the users' consent.‍

The Central Bank of Brazil is planning to apply a similar regulation to PSD2 for Open Banking by the beginning of the 2nd half of 2020.

This regulation aims to increase competition in the sector and provides opportunities for third party companies to integrate with banks via APIs andmake offers and better experiences available to consumers by using this data. These opportunities are not restricted to companies in the financial sector; they are also being evaluated by large retail, telecom, utilities companies - which are beginning to offer their own financial services.

PCI certification is an essential step in order to seize the possibilities of such regulation with regard to card payments. In addition, the need for a certification similar to PCI DSS for banking data protection is discussed. Being familiar with the practices required in PCI DSS greatly accelerates preparation for developing Open Banking-Based Business. ‍

How can Sensedia help you to make your APIs PCI Compliant?‍

Many companies want to make use of the opportunities and be part of the card payment ecosystem. Relying on technology partners whose platforms are already adapted to PCI parameters is a way to reduce costs, reduce risks and avoid the technical complexities of adapting to a constantly evolving global security standard.

The Sensedia API Platform provides a PCI Compliant environment (PCI-DSS Level 1 - the highest level), with available AOC certificate, WAF, penetration tests and vulnerability scans in higher recurrence than required by the certification.

Inside the platform, there are also components ready to be added to the flow of APIs such as Oauth 2.0, JWT, threat protections, IP filtering, encryption and obfuscation, among others.

The Sensedia API Platform also features governance controls, alerts, custom dashboards and real-time logging to prevent incidents and speed up threat responses.

In addition, Sensedia has a specialized consultancy for security and operation of its APIs, and is considered a leader in API Strategy by Forrester, in order to support clients in the design of the best models and application of the best practices.

Want to know more?

‍Contact us and talk to one of our experts.