February 28, 2022
Skyflow Achieves PCI Level 1 Service Provider Certification
This certification demonstrates Skyflow’s continued investment in rigorous controls and processes, following our recent completion of SOC 2 Type 1 compliance certification.
PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards created by the credit card industry to protect payment systems from data breaches. Skyflow recently completed certification as a PCI Level 1 Service Provider, making Skyflow the world’s first PCI Level 1 Data Privacy Vault.
What Does Skyflow’s Level 1 Status Mean to You?
If your company processes more than 6 million transactions or has been deemed high-risk by a payment processor like Visa or Mastercard, you’re required to work with a Qualified Security Assessor (QSA) to complete a Report on Compliance (ROC). You must work with a PCI Level 1 Service Provider as part of the process. Skyflow’s Level 1 Status lets us help you develop a PCI-compliant platform.
When working with a QSA to obtain your PCI Merchant Compliance Status, using a Data Privacy Vault that removes all card data from your systems and business processes reduces the compliance scope by more than 90%. This makes Skyflow an effective way to accelerate your compliance timeline.
If you use Skyflow Data Privacy Vault, you not only have a fast and easy way to reduce PCI scope and make it easier to achieve PCI compliance, you can also use multiple payment processors to increase your payment authorization rates and lower your transaction fees.
PCI Compliance In-depth
PCI compliance applies to all businesses that interact with credit cards and credit card (PCI) data. PCI compliance certification has different requirements for merchants and for companies that provide services to merchants.
PCI Compliance Levels for Merchants
The PCI compliance level required for merchants depends on several criteria, as described below.
Level 1 is required for:
- Merchants processing over 6 million credit card transactions annually (all channels)
- Any merchant that has suffered a hack or an attack that resulted in an Account Data Compromise (ADC) Event
- All merchants required by a payment brand or acquirer to validate and report their compliance as a Level 1 merchant to minimize risk to the system
Merchants that don't need to obtain Level 1 certification can use one of the following certification levels:
- Level 2 is for merchants processing 1 million to 6 million credit card transactions annually (all channels)
- Level 3 is for merchants processing 20,000 to 1 million credit card e-commerce transactions annually
- Level 4 is for all other merchants who don't need to complete a higher certification level.
PCI Compliance Levels for Service Providers
The PCI compliance level required for service providers depends on the number of transactions that they store, process, or transmit:
- Level 1 is required for any service provider that stores, processes and/or transmits over 300,000 transactions per year
- Level 2 is required for any service provider that stores, processes and/or transmits less than 300,000 transactions per year
Why PCI Level 1?
We decided to pursue PCI Level 1 certification because it lets us extend our service to merchants who process a high volume of transactions, and to merchants who need to complete an ROC. Also, for many of our privacy and security-conscious customers, working with a service provider at PCI Level 1 is a procurement requirement to ensure quality.
As a company that provides critical infrastructure for the most sensitive data, we see the certification process as an excellent opportunity to invite an outside group of experts to validate the maturity of our controls and processes. Obtaining the highest level of compliance assures our customers that Skyflow Data Privacy Vault is a reliable place to store and use their most sensitive customer information.
The PCI Level 1 Service Provider Certification Process
To become a Level 1 PCI-certified Service Provider, we met the following requirements:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Protect all systems against malware and regularly update antivirus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need to know
- Identify and authenticate access to system components
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel
To obtain the Attestation of Compliance (AOC) as a PCI Level 1 Service Provider, we had to perform a network scan by an Approved Scanning Vendor (ASV) – repeated quarterly – and work with a third-party QSA to perform an ROC on an annual basis.
Skyflow was well-positioned to obtain this certification, but we also want to continuously improve our internal security and privacy practices. So, we opted to work with a nationally ranked, industry-leading QSA to obtain our certification so we could benefit from the most thorough and highest-quality audit available. We created 144 pieces of control evidence mapping to the 12 requirements described above and obtained our AOC with flying colors. Although this audit was time-consuming, we wouldn’t choose to do it any other way.
Our advice to any company facing a compliance process like this is: treat the process as an opportunity, not a burden. Not only is any compliance process much less painful and expensive than the aftermath of a data breach, but it also provides reassurance that your controls and processes are hardened and tested. And in case the compliance process seems thankless, remember that your customers appreciate your efforts to protect their personal data.
Another Reason to Use a Data Privacy Vault
If your company handles credit card data, you probably also store Personal Identifiable Information (PII). To prevent data breaches, you should manage PII data with the same diligence that’s required for PCI data. In fact, secure handling of PII is gaining legislative momentum worldwide, with Gartner predicting that by the end of 2023, 75% of countries will have some kind of data privacy law. Using Skyflow Data Privacy Vault for credit card and PII data is an excellent way to address security and governance needs and get ahead of the landslide of new data privacy laws going into effect globally.