PCI 4.0 is here. Is your software company ready?

Today, top software companies are embedding payments into their platforms to gain a competitive edge and create new monetization opportunities. But, with opportunity comes responsibility—and PCI compliance is a big one.  

With access to personally identifiable information, payment card data, and other financial details, software companies that opt to embed payments must adhere to the Payment Card Industry Data Security Standard (PCI DSS) to fortify the ecosystem that they are now a part of. PCI was created to protect cardholder data and implement strong controls to reduce the risk of cyber-attacks. While the goals behind PCI are clear, compliance can feel anything but, particularly for software companies who are new to financial regulation.  

Are software companies held to the same PCI standards as other financial institutions?  

The short answer is yes.  

Any company that stores, processes, and/or transmits or can impact account data must be PCI compliant and undergo annual assessments to validate that the applicable PCI requirements are in place.  

New PCI guidelines (PCI 4.0) were released in 2022. As of March 2024, the PCI 3.2.1 edition was retired, and PCI 4.0 assessments are the new standard moving forward. All future-dated PCI 4.0 requirements become effective in 2025.  

Three PCI 4.0 requirements that every software company should know 

1. Software companies classified as Level 1 must submit an annual report on compliance (ROC) by a qualified security assessor (QSA) and a quarterly external network vulnerability scan report by an approved scanning vendor (ASV).   

2. Organizations classified as Level 2 must submit a self-assessment questionnaire (SAQ D) and a quarterly external network vulnerability scan report.   

3. These validation requirements are due annually and after any major system changes.   

PCI 4.0 includes more stringent controls to help protect small and medium businesses against rising online payment fraud, including web skimming. Web skimming is when a bad actor compromises a third- or fourth-party vendor and adds malicious code with skimming functionality to JavaScript. This set-up allows a cardholder to enter their card information on your software customer’s payment page as they normally would. However, while the card data is being collected for processing it is also being copied and sent back to the bad actor.  

Unfortunately, these attacks can be quite difficult to recoup from. According to the latest Cost of Data Breach report by IBM, the average time to identify a breach was 204 days and the average time to contain a breach was 72 days. When a breach can take months to identify and contain, all cards being accepted by your software customer are likely at risk and that can be costly to bounce back from. Therefore, regularly monitoring and testing networks and maintaining an information security policy—all requirements of PCI—will be instrumental tactics. 

The journey to PCI compliance can be treacherous alone, and that’s putting it mildly

But what options does a software company have when it comes to PCI? Your payments partner should have experts available to help you scope your PCI 4.0 requirements. In-house PCI knowledge is often a determining factor for software companies when selecting a payment platform. At Payrix and Worldpay, PCI compliance is a core tenant of our customer support model. Every one of our software company partners has direct access to compliance experts to ensure their organization and user base are protected. This support can manifest through educational resources, strategy sessions, and merchant PCI programs, like SaferPayments by Worldpay.  

The hidden benefit of prioritizing PCI, and who can help 

No matter how you slice it PCI is mandatory. But there are advantages to prioritizing compliance.  

For example, if you understand your PCI leveling, and your organization meets the Level 2 definition, while not technically required, you may want to consider engaging a QSA to assist with SAQ D. This strategy allows you to understand your true scope and the requirements, as it’s possible that some may not apply to your setup. The most obvious benefit is that this approach may reduce your scope of work and risk profile. But there is more here than meets the eye. Engaging a QSA allows you to join the card buying list of compliant service providers. Your payment processor will need to register you with the card brands; however, this acknowledgment can create a powerful new marketing angle when prospecting.  

PCI is complex. Our advice is to engage with your Embedded Payments partner to ensure that your organization is set up for long-term success and adhering to the new PCI 4.0 standards.