Blog

VGS is pleased to announce that we successfully completed the SOC 2 Type II assessment after undergoing a comprehensive annual review that confirmed our fulfillment of all system requirements based on the trust services criteria outlined by the AICPA.

Can you believe this April will mark one year since the release of PCI DSS v4.0 standards? To celebrate its upcoming birthday, we’re breaking down one of the most commonly asked questions about compliance.

Exactly how hard is PCI compliance to achieve? Usually it’s bad practice to answer a question with another question. In this case, it’s impossible to discuss the challenges of compliance without first asking: why is PCI compliance important?

In March 2022, the PCI Security Standards Council (PCI SSC) published PCI Data Security Standard PCI DSS 4.0. If your organization stores, transmits, or processes credit or debit cardholder information, then this new standard (and this blog) applies to you, because every part of your cardholder data environment (CDE) will be “in-scope,” and subject to its guidelines.

Running a business in the digital age is no easy feat. This is especially true nowadays as cybersecurity threats continue to evolve and increase.

Data breaches have hit even some of the largest, multinational companies, exposing sensitive user data and compromising the privacy and trust of their customers. When it’s payment card data that leaks on a large scale, the damage goes far beyond consumer confidence.

PCI compliance is an industry-standard set to keep sensitive payment data safe. Any business that handles credit or debit cardholder data must achieve PCI compliance. It was created by a council of major credit card providers – the PCI Security Standards Council, or PCI SSC – to help prevent credit and debit card data theft.

Unsure what exactly you need to know about PCI Compliance? Here’s a crash course on the PCI Data Security Standard, including the most cost-effective path to securing cardholder data, PCI compliance best practices and benefits, what it takes to get PCI certified, and much more.

Do you know how long it takes to become PCI compliant?

Fulfilling all the requirements spelled out in the Payment Card Industry Data Security Standard (PCI DSS) is a complicated process with a ton of moving pieces.

Achieving Payment Card Industry Data Security Standard (PCI DSS) can be a lengthy and expensive process.

Level 1 compliance, which is required for businesses that handle high volumes of payment card data, can easily cost over $1M upfront. In addition, the journey to your certification can last between 9 to 12 months if you opt to build your own PCI-compliant infrastructure and manage the audit process by yourself. (And that doesn’t even account for annual maintenance.)

VGS has achieved PCI L1 Service Provider certification for the third time! Though most of you reading this blog will go through PCI DSS compliance for merchants, the process is similar enough that sharing a few lessons we have learned along the way should be helpful.

PCI DSS certification is a complex endeavor, whether it’s your first time or whether it has become an annual ritual at your company. However, many important aspects (and challenges) are common to all successful PCI assessments.

At VGS, we often get asked by prospective customers about the true costs of PCI. We’ve written about this topic before in broad strokes. Ultimately, the potential costs of PCI non-compliance are catastrophic, both financially and reputationally. But those big numbers can be scary and seem unreal. So let’s put a good summertime analogy to work in explaining how costs arise for two different market players - a small merchant and a SaaS platform with integrated payments.

You can’t have customers in the e-commerce world without collecting personal data. Even processing a credit card for an online purchase using a guest account requires you to collect some personal information and hold it for a certain period of time. When you collect personal information, you’re required to comply with data protection regulations that apply to that information, such as CPRA, LGDP, and GDPR. And ignorance of the law is not an excuse for not complying with the law.