Our world, and especially our shopping, is increasingly on-line. Increased convenience, however, means increased security. Stolen credit card data costs both businesses and consumers millions and damages reputations. Customers should feel confident when entering their sensitive payment credit card information into your Mendix app. Fortunately, industry guidelines exist to help app creators develop a safe space for e-commerce. The Payment Card Industry Data Security Standard (PCI DSS) is a framework of compliance to give you and your customers piece of mind while shopping online.
What is the PCI DSS?
The PCI framework of security protocols is maintained by the major credit card companies. The goal is to increase controls around sensitive information and validate that data is safe and secure. The PCI guidelines contain requirements including maintaining a secure network, implementing strict access controls, and regularly testing security using an independent organization. When building an app that accepts payment using a credit card or eCheck, it is critical to maintain regulatory compliance. Even a first time violation of PCI could cost your business over $10,000 a month, not to mention significant reputation damage. There are 12 requirements in all with more than 220 sub-requirements, so navigating the framework can be confusing.
Tackling Payments with Mendix
If maintaining PCI compliance seems daunting, do not worry. The Mendix platform makes creating apps that accept payments in a secure way a snap. Thanks to Mendix’s easy Webservice interface and reusable modules, you can create customer payment portals in days not months. Mendix accomplishes this by integrating with payment gateways. Payment gateways, like Orbital, Cybersource, and Strype, collect and store credit card data on servers independent from the Mendix architecture. Sensitive data never touches your Mendix Server and therefore the burden of secure data warehousing is passed on to the gateway provider.
Integrating with a payment gateway is significantly easier in Mendix than with other development methods. Gateways communicate through a number of technologies including URL redirection, iFrame, or anonymized tokenization. Mendix app store content like the iFrame widget and REST service module mean that no matter your gateway of choice, setup takes significantly less effort in Mendix than other development methods. Also, keep your eyes on the appstore for full-featured payment integration modules that will soon make gateway configuration even faster.
Using Mendix with a payment gateway does not free you and your team from responsibility, however. You will have to fill out a PCI DSS self assessment questionnaire and more, so all development teams are encouraged to speak to your Mendix representative.
With payment gateways and Mendix, your customers will be shopping with confidence in no time.
Where can I learn more?
PCI Security Standard Council
PCI FAQ
SAQ A-EP Questionnaire
Happy Modeling!