PCI compliance at fintech startups

PCI compliance can help a fintech startup grow and mature on multiple dimensions—but it isn't appropriate for everyone

Every fintech startup should think about becoming PCI compliant. PCI compliance can help a fintech startup grow and mature on multiple dimensions. But the certification is not appropriate for every fintech startup. This post lays out some relevant factors to making that decision, as this domain can be opaque.

Let’s start by defining some terms. A company is PCI compliant if it stores, processes, and transmits credit card information in accordance with the Payment Card Industry Data Security Standard (PCI DSS). These standards are defined by an industry group. They share their standards publicly.

Why should a startup become PCI compliant? One benefit is that by becoming compliant, you will develop a practical understanding of compliance best practices. Many startups find that as they try to sell their product and venture into more business situations, their external partners and customers will ask about compliance. As companies mature, compliance becomes a necessary component of the business.

When a startup builds its compliance function, having a practical understanding of best practices can help a lot. No one should follow best practices simply for the sake following a best practice. But learning about the best practice can sharpening a startup’s ability to reason from first principles.

A second reason to get the certification is for the signaling value. The certification shows that the time has been dedicated to thinking in a disciplined way about risk management. Many players in the industry will view a credentialed company as being more responsible and mature. Some of Plaid’s early and significant customers made PCI compliance a necessary component of the deal.

How does a startup execute on becoming PCI compliant? Put simply, the startup must implement a checklist of requirements. This checklist is published in a Self-Assessment Questionnaire.

Startups can try to complete the checklist on their own. This will be very difficult, largely because the checklist uses domain-specific language. Unless someone on the team has previously executed on compliance, the company will struggle to know practically what it must do.

The other option is to ask a consultant. A consultant can show a young startup what the checklist terms mean in practice. A good consultant can evaluate your company and say specifically what to do to satisfy the PCI standards.

At the end of the exercise, the consultant will help generate a completed Self-Assessment Questionnaire and Attestation of Compliance. These documents can be shared when someone asks for proof of PCI status.

The consultant puts down its name as the Qualified Security Assessor on the documents. People who read Self-Assessment Questionnaires and Attestations of Compliance pay attention to the identity of the Qualified Security Assessor. Hiring a respected consultant to play that role can make a difference in the signaling value.

There is one other piece of advice worth sharing. On the checklist of requirements, the number of line items that is relevant to your business will depend on how you have arranged your technology. As a general matter, the number of requirements that PCI compliance imposes on a company will depend on how often a company stores, processes, or transmits full 16-digit credit card numbers. The more a company can minimize such instances, the simpler it will be to comply with the standards.