Data Security Standard

We got a nice little note in our inbox recently. It was from Visa, but it had nothing to do with our credit limit (eye-rolls and drum kicks appropriate).

“Congratulations on validating compliance with the Payment Card Industry Data Security Standard,” it said. “The Visa Global Registry of Service Providers - PCI DSS Validated Entities. . . acknowledges service providers that have shown their commitment to security by meeting the requirements of the PCI Standard.  We appreciate your continued support and commitment to safeguarding the payment industry.”

There aren’t many issues left that we can see in terms of black and white. Everything has nuance—there are shades and complexities, levels of acceptance, and so on.

Here’s an exception. If you handle credit card data, your product or service is either PCI-compliant, or it’s not. Period.

I know this isn’t a fun topic. You want to focus on launching a commerce API but instead you spend time on figuring out how to comply with a long list of confusing rules. It’s a hassle and an obstacle. But it’s also vital.