Every year around this time we report on our successful annual audit demonstrating compliance to the Payment Card Industry Data Security Standard (PCI DSS). This year is no exception, another successful audit under our belt!
If you require our PCI Attestation of Compliance document for your records, please contact RunSignup and we can provide it under NDA. We thought we would take a few minutes to explain what this standard is all about, so if you are interested in learning more please read on…
In the late 90’s as online shopping started to become prevalent across a growing array of online retailers, Payment Card Data fast became the number one compromised data type. This prompted all of the major credit card brands to roll out security programs that it required its merchants and service providers to implement. The inconsistency of security programs from card brands made it confusing and difficult for merchants to comply. So in 2004 PCI-DSS was introduced by the founding members American Express, Discover Financial Services, JCB International, Mastercard and Visa. Compliance to PCI DSS is now a contractual obligation for any merchant or service provider accepting credit cards from those card brands. It appears to be working as data breaches of card data have been in decline over the past 10 years.
The more credit card transactions a company handles the higher the risk to the credit card brands. For this reason PCI-DSS has defined four levels of compliance based on transaction volume, each with increasingly more stringent requirements. Level 1 is the highest.
Further there are also different requirements for Merchants vs. Service Providers. Merchants can accept credit card payments for goods or services either in-person or via the internet or phone, such as your local retailer. Service Providers are directly involved in the processing, storage and transmission of cardholder data on behalf of merchants. Due to their access to control sensitive data, requirements for Service Providers are much higher than those for Merchants.
RunSignup is a Level 1 Service Provider. RunSignup is also a Payment Facilitator. Payment facilitators are a type of service provider that can process transactions on behalf of sub merchants. (Our customers are sub merchants.) This means we are held to the highest security standards governed by PCI-DSS.
PCI Requirements for Level 1 Service Providers
Requirements for PCI-DSS are set by the PCI Security Standards Council. PCI-DSS requires compliance to 12 areas of security. Below is a summary of those requirements directly from the PCI-DSS 3.2.1 Document.
This list of requirements boils down to about 300+ control points that we have implemented safeguards for and are audited against annually by a third-party Qualified Security Assessor (QSA). In addition to our annual audit (which we just successfully passed), we are required to
- Provide an annual Report on Compliance (RoC)
- Have a valid Attestation of Compliance (AOC)
- Perform quarterly network scans by an Approved Scanning Vendor (ASV)
- Undergo annual penetration tests by a third party
RunSignup is only required to adhere to these security safeguards for those parts of our system that are part of the Cardholder Data Environment (CDE). Many companies segregate their CDE from the rest of their system so that they can limit the footprint of the system that is subject to audit. At RunSignup, we spend significant effort and funds on security because it is a data processing best practice, not just because PCI requires it. For that reason, we subject our entire system to the PCI audit process, providing maximum protection for our customers.
Why Does It Matter?
Highest Defense to Constant Attacks: One study done by the Clark School at the University of Maryland quantified that for any computer or server connected to the internet it is attacked on average every 39 seconds. The majority of these attacks are unsophisticated brute force attempts to infiltrate a system, but more organized attempts are also occurring every day. We keep on top of the latest security developments to prevent successful attacks.
Customer Trust: You have come to know RunSignup as an extremely transparent company. We hold our customer’s data in high regard and set out every day to protect it at all costs. We want to continue to earn our customer’s trust by proving the most highly available and secure system possible.
Reduce Customer Support: Fraudulent activity on our customer’s event sites causes customer support requests to rise. We understand that cost and want the use of our tools to drive support costs down as much as possible.
Adopting PCI Increases Security Across Our Entire System: Since we implement PCI-DSS across our entire ecosystem, security of the entire system benefits.
World Class: We are a product led company who strives to provide world class software solutions. For a tech company to be world class, its engineers need to build security into the design of the solutions. Our continuous improvements around security make us a better organization with capabilities well above our size.