If your business handles credit card transactions, you are obligated to be PCI compliant. There are a few ways you can achieve PCI compliance depending on the size of your company, but it generally breaks down to obtaining PCI compliance on your own or offloading most aspects of compliance responsibilities to a service provider.

Non-compliance to PCI DSS can cost from $5,000 to $100,000 a month depending on the size of the company and the duration of non-compliance. Additionally, banks and payment processors may increase transaction fees or terminate the relationship with your company altogether resulting in lost revenue.

Skyflow helps you isolate, protect, and govern sensitive PCI data through the whole lifecycle so you can use it securely without replicating it across your infrastructure. Sensitive PCI data gets captured directly through Skyflow’s SDK and stored in a zero trust Data Privacy Vault. When you need to transmit PCI data to a trusted third party (such as a payment processor), that data is sent directly from the Data Privacy Vault with no exposure to your backend.

Skyflow Data Privacy Vault is not just a quick way to achieve PCI compliance as your business gets started, keeping credit card data in a Data Privacy Vault frees you to optimize payment logic and avoid payment processor lock-in a as your business scales up.

There are two categories of PCI compliance: PCI Compliance for Merchants and PCI Compliance for Service Providers. As a PCI Level 1 service provider, Skyflow makes it easy to accelerate compliance across these categories and at each level.

PCI Compliance for Merchants:

Compliance for merchants consists of four levels that are defined by the number of payment card transactions. The highest level, Compliance Level 1, is for companies that process over 6 million payments a year. From there, the levels decrease as the number of payments processed annually decreases until Compliance Level 4 is reached, which is for companies with less than 20,000 transactions.

Compliance Level 1 has a unique requirement – companies that process 6 million or more transactions a year must submit a compliance report that has been reviewed by an independent Qualified Security Assessor (QSA). The PCI SSC keeps a database of all qualified assessors. For other compliance levels, typically a self-attestation is required to gain PCI compliance.

PCI Compliance for Service Providers:

Compliance for service providers consists of two levels, the first for service providers that process more than 300,000 transactions and the second for less than 300,000 transactions.

Companies must obtain an Attestation of Compliance (AOC), perform a network scan by an Approved Scanning Vendor (ASV) – repeated quarterly – and work with a third-party QSA to perform a ROC on an annual basis in order to obtain compliance Level 1.

PCI consists of twelve principal requirements, which summarize over one hundred specific  sub-requirements or “controls”:

1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Protect all systems against malware and regularly update antivirus software or programs
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need to know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security for all personnel

Skyflow can help you securely migrate your PCI data from your payment processor into a Data Privacy Vault. With your PCI data under your control, you can work with multiple payment processors and enjoy the best rates without added risk.

Check out how Skyflow can help you avoid PCI data lock-in or schedule a call with us.