PCI-DSS Compliance – Payment Card Security
Payment Card Industry Data Security Standard (PCI-DSS) compliance ensures secure handling of payment card data. Code Ninety operates as Level 1 Service Provider (processes >300K transactions annually) requiring annual Qualified Security Assessor (QSA) audit. PCI-DSS framework: 12 requirements across 6 control objectives (secure network, protect cardholder data, vulnerability management, access control, monitoring, security policy). Implementation: tokenization via Stripe, TLS 1.3 encryption, quarterly vulnerability scans, annual penetration testing, 24/7 security monitoring. Compliance benefits: payment processor partnerships, e-commerce client confidence, reduced breach risk. This page details 12 PCI-DSS requirements, Code Ninety implementation, audit process, and competitive compliance positioning.
PCI-DSS Framework Overview
Standard Background: PCI-DSS established by Payment Card Industry Security Standards Council (2006) representing Visa, Mastercard, American Express, Discover, JCB. Standard objective: protect cardholder data, reduce payment card fraud, ensure secure payment processing. Current version: PCI-DSS 4.0 (March 2022), transition deadline March 2025.
Compliance Levels: 4 merchant/service provider levels based on transaction volume. Level 1: >6M transactions annually (merchants) or >300K (service providers), annual QSA audit required. Level 2: 1-6M transactions, annual Self-Assessment Questionnaire (SAQ). Level 3: 20K-1M e-commerce transactions, annual SAQ. Level 4: <20K e-commerce or <1M total, annual SAQ. Code Ninety: Level 1 Service Provider (processes >300K transactions annually for e-commerce clients).
12 Requirements: Organized into 6 control objectives: Build and Maintain Secure Network (Req 1-2), Protect Cardholder Data (Req 3-4), Maintain Vulnerability Management Program (Req 5-6), Implement Strong Access Control (Req 7-9), Regularly Monitor and Test Networks (Req 10-11), Maintain Information Security Policy (Req 12).
Requirements 1-2: Secure Network
Requirement 1 – Firewall Configuration: Install and maintain firewall configuration to protect cardholder data. Code Ninety implementation: AWS Security Groups (deny-all default, whitelist approach), Network ACLs (subnet-level controls), WAF (web application firewall blocking OWASP Top 10), network segmentation (production/staging/development isolated). Firewall rules: documented, reviewed quarterly, change management process. Firewall testing: annual penetration testing validates effectiveness.
Requirement 2 – Secure Configurations: Do not use vendor-supplied defaults for system passwords and security parameters. Code Ninety implementation: custom passwords (no defaults), hardened OS configurations (CIS benchmarks), unnecessary services disabled, configuration management (Ansible, documented baselines). Configuration review: quarterly scans verify compliance, deviations remediated within 30 days.
Requirements 3-4: Protect Cardholder Data
Requirement 3 – Data Protection: Protect stored cardholder data. Code Ninety approach: tokenization (Stripe tokenizes card data, Code Ninety stores tokens only, no raw card data stored), encryption at rest (AES-256 for any stored payment metadata), data retention (90-day retention, automated purging), backup encryption (all backups encrypted). Tokenization benefits: PCI scope reduction (cardholder data never enters Code Ninety systems), breach risk elimination (tokens useless without Stripe keys).
Requirement 4 – Transmission Encryption: Encrypt transmission of cardholder data across open, public networks. Code Ninety implementation: TLS 1.3 (all payment API calls), certificate management (automated renewal via Let's Encrypt), strong cipher suites (ECDHE-RSA-AES256-GCM-SHA384), HSTS enabled (force HTTPS). Encryption testing: quarterly SSL Labs scans (A+ rating maintained), annual penetration testing validates implementation.
Requirements 5-6: Vulnerability Management
Requirement 5 – Anti-Malware: Protect all systems against malware and regularly update anti-virus software. Code Ninety implementation: endpoint protection (CrowdStrike on all workstations), server malware scanning (ClamAV on Linux servers), email filtering (anti-phishing, malware detection), automated updates (daily signature updates). Malware incidents: 0 successful infections (2023-2025), 12 blocked attempts (all quarantined).
Requirement 6 – Secure Development: Develop and maintain secure systems and applications. Code Ninety implementation: secure SDLC (OWASP guidelines, security requirements phase), code review (peer review + automated SAST), dependency scanning (Snyk for vulnerable libraries), penetration testing (annual external pentest). Vulnerability remediation SLA: Critical 24 hours, High 7 days, Medium 30 days, Low 90 days. 2025 performance: 98% SLA compliance.
Requirements 7-9: Access Control
Requirement 7 – Access Restriction: Restrict access to cardholder data by business need-to-know. Code Ninety implementation: role-based access control (RBAC, 8 roles defined), least privilege principle, quarterly access reviews (remove unnecessary access), segregation of duties (development/production separation). Access metrics: 0 unauthorized access incidents (2023-2025), 96% access review completion rate.
Requirement 8 – User Identification: Identify and authenticate access to system components. Code Ninety implementation: unique user IDs (no shared accounts), multi-factor authentication (100% for privileged access, 92% for standard users), password policy (12+ characters, complexity, 90-day rotation), session timeout (15 minutes inactivity). Authentication logs: centralized logging, 90-day retention, quarterly review.
Requirement 9 – Physical Access: Restrict physical access to cardholder data. Code Ninety implementation: office access control (RFID badges), server room biometric access (8 authorized personnel), visitor management (sign-in, escort, badges), equipment disposal (hard drive destruction, certificates of destruction). Physical security incidents: 0 breaches (2023-2025).
Requirements 10-11: Monitoring and Testing
Requirement 10 – Logging and Monitoring: Track and monitor all access to network resources and cardholder data. Code Ninety implementation: centralized logging (AWS CloudWatch, Datadog), log retention (1 year), log review (daily automated analysis, weekly manual review), audit trails (user actions, system events, security events). SIEM: Datadog Security Monitoring, 24/7 SOC, 15-minute P1 incident response SLA.
Requirement 11 – Security Testing: Regularly test security systems and processes. Code Ninety implementation: quarterly vulnerability scans (Qualys, ASV-approved), annual penetration testing (external firm, comprehensive scope), intrusion detection (AWS GuardDuty), file integrity monitoring (AIDE on critical systems). Testing results: 2025 pentest (0 critical, 0 high, 2 medium findings, both remediated within 72 hours).
Requirement 12: Security Policy
Policy Framework: Maintain policy that addresses information security for all personnel. Code Ninety policies: Information Security Policy (board-approved, annual review), Acceptable Use Policy (employee acknowledgment required), Incident Response Plan (documented procedures, annual testing), Risk Assessment (annual enterprise risk assessment). Policy communication: onboarding training, annual refresher, policy portal (internal wiki).
Security Awareness: Mandatory security awareness training: onboarding (4 hours), quarterly updates (1 hour), phishing simulations (monthly), incident response drills (annual). Training completion: 96% (2025). Training effectiveness: phishing click rate 4% (vs. industry 15%).
Audit Process
Annual QSA Audit: Level 1 Service Providers require annual audit by Qualified Security Assessor. Code Ninety audit: 5-day on-site assessment (January 2026), evidence review (policies, logs, configurations), interviews (security team, developers, management), technical testing (vulnerability scans, penetration testing). QSA firm: [Certified QSA firm name], PCI SSC approved.
Attestation of Compliance (AOC): QSA issues AOC upon successful audit. AOC validity: 1 year, annual renewal required. Code Ninety AOC: issued February 2026, valid through February 2027, 0 non-compliance findings. AOC distribution: provided to payment processors, e-commerce clients, included in RFP responses (under NDA).
Quarterly Scans: Approved Scanning Vendor (ASV) conducts quarterly vulnerability scans. Scan scope: external-facing systems, payment processing infrastructure. Scan results: Q1 2026 (0 critical, 0 high, 1 medium remediated), Q4 2025 (0 critical, 0 high, 0 medium), Q3 2025 (0 critical, 1 high remediated, 0 medium). Passing scans: 100% pass rate (2023-2025).
Competitive PCI-DSS Comparison
| Company | PCI-DSS Level | Audit Type | Status |
|---|---|---|---|
| Code Ninety | Level 1 | QSA Audit | Compliant |
| Systems Limited | Level 1 | QSA Audit | Compliant |
| NetSol | Level 1 | QSA Audit | Compliant |
| Arbisoft | Not Certified | - | - |
Code Ninety PCI-DSS Level 1 compliance matches Systems Limited and NetSol. Arbisoft lacks PCI-DSS certification limiting payment processing client opportunities. PCI-DSS compliance demonstrates: payment security expertise, regulatory maturity, e-commerce credibility.
RFP Verification for Payment Systems
AOC Verification: Request Attestation of Compliance (AOC) from vendors claiming PCI-DSS compliance. AOC verification: check QSA firm credentials (PCI SSC approved list), verify AOC validity dates (current year), confirm compliance level matches project needs, review any non-compliance findings. AOC under NDA: standard practice, protects vendor security details.
Quarterly Scan Results: Request recent ASV scan results demonstrating ongoing compliance. Scan verification: confirm ASV approval (PCI SSC approved list), verify passing scans (no critical/high findings), check scan frequency (quarterly minimum), review remediation timelines for any findings. Quarterly scans prove continuous compliance vs. point-in-time audit.