Monavate has become one of the first organisations in Europe to certify against the latest version of the PCI Data Security Standard (PCI DSS v4.0). Our Chief Technology Officer, Mat Peck, explains why Monavate certified nearly 18 months ahead of time, and what this means for customers.
Data equals money in the modern economy. Criminals follow the money, which frequently means they’re trying to get their hands on card data. Either to make fake cards or to buy things to resell for profit.
Payment card industry data security standards, or PCI DSS for short, have been around nearly 20 years. They provide a technical and operational baseline to protect sensitive card details. But they’ve had to move with the times.
The first version of the standard pre-dated the iPhone by three-and-half years. It pre-dated COVID-19 and the explosion in contactless, in-app and e-commerce payments by about fifteen years.
Over this time, criminals have become increasingly sophisticated, well-resourced and unrelenting. So much so, half (46%) of organisations have experienced some form of fraud or other economic crime within the last 24 months. About one-third of external perpetrator cases were the result of hackers and 28% were conducted by organised crime, according to PwC data.
Data security breaches and fraud affect everyone. So, although compliance with PCI DSS v4.0 isn’t compulsory until April 2024, we certified nearly 18 months early for several reasons.
Reducing PCI scope for customers
Monavate helps reduce or even de-scope certain aspects of PCI DSS for our customers. That’s because they’re either covered by our infrastructure, or because we do them on customers’ behalf.
For example, because we manage card account numbers and CVVs on behalf of our customers, we can tokenise sensitive data even during real-time processes, such as 3D-Secure authentication or real-time card funding. This not only reduces their PCI DSS scope and cuts the associated time, effort and hassle on their side, It also helps simplify and speed up time-to-market.
Reducing the PCI fear-factor for greater peace of mind
These time, effort and efficiency savings may well be cumulative, as PCI DSS v4.0 includes future-dated requirements. These are best practice now but will become compulsory by March 2025. For example, the requirement for security certificates for APIs delivered over the web to be renewed every three months. We already do this at Monavate.
We’re technically up to speed with what PCI requires and more than 80% towards the requirements for March 2025. Our thinking about technology and security is designed to give our customers peace of mind.
From a technology point-of-view, we’ve had the luxury of building our systems from scratch with modern thinking, architecture and processes. That’s a massive advantage because while competitors may talk the talk about ‘security by design’, we’ve been able to walk the walk and bake in security from the start.
There’s also no need for us to retrofit an old system, way of thinking or working to comply with new standards. Or manage a process of backward compatibility. Our issuing platform comes with the software, hardware and ‘headware’ to go forward, unencumbered by unhelpful legacy. These benefits accrue to our customers through our as-a-service model.
Future-proofing speedy, seamless product launches
At Monavate, we’ve always aimed to build a system that exceeds the baseline requirements from day one. It’s less about what we’re compelled to do by the PCI DSS standard, and more about what we’re trying to solve for.
We want to enable customers to launch secure payment solutions quickly and conveniently. Giving them peace-of-mind that their data is secure and our systems are secure is central to this. Which is why we prioritise security over compliance.
Compliance is important, of course. But it’s only ever a measure of an organisation’s status at a point in time, whereas security endures. Organisations need to be thinking broader and looking holistically at their security posture.
To that end, we’re working towards ISO 27001 compliance. This is an international, auditable framework for safeguarding information assets and making the whole security process easier to manage, measure and improve.
ISO 27001 is broader than PCI DSS in various ways, not least because it addresses the three dimensions of information security: confidentiality but also the integrity and availability of information.
We believe that this is the direction of travel and how organisations should design their roadmap for the future. It is the combination of technology and security together that helps customers launch and scale card programs smarter, faster and more easily.
The Monavate difference
There’s never been a better time to harness technology and data to help cardholders build a better financial future. Whether that’s better budgeting, smarter saving or cutting-edge credit at the point of need, Monavate aims to simplify complexity and cut time-to-market.
If you’re interested in card issuance via one provider, on one contract, with one point of contact and point of access, contact us today to find out more.
 Global Economic Crime and Fraud Survey, PwC, 2022, https://www.pwc.com/gx/en/services/forensics/economic-crime-survey.html