PCI- DSS Assessment with Reap: Protecting Card Holder Data for a Next-Gen digital payments platform
HIGHLIGHTS
Challenge
To provide compliance assessment services to enable Reap to store, process and transmit its customers Card Holder Data (CHD) in a secure manner and complying with the Payment Card Industry Data Security Standard (PCI DSS).
Solution
Reap partnered with us to reduce the time and effort needed to achieve PCI DSS compliance. We commenced the assessment by focusing on the scoping assessment. The key objective was to reduce the PCI DSS footprint, which in turn streamlines Reap’s compliance obligations; our efforts subsequently reduced the time and effort needed to achieve compliance.
Results
- Completion of a PCI DSS Attestation of Compliance for Reap, in compliance with the PCI SSC Reporting guidelines.
- This attestation proves that Reap completed its required obligations and fully met the PCI DSS requirements.
The Story
Cyber security for start-ups: Security-first development of a revolutionary credit card payments platform
Reap Technologies Limited (Reap) is a financial technology company enabling SMEs, online businesses and start-ups to pay expenses with a credit card. Reap provides a payment platform to enable credit cards as the method of payment for individuals and businesses, directly from the card to the bank account via instructions made through a web browser. The platform can be used by customers without needing any technical integration for creating credit card acceptance by the recipient of the funds.
As a PCI Qualified Security Assessor (QSA) company, we assisted Reap with its first-ever review under the PCI DSS standard, defining requirement scope, developing organisational policies and assessing risks.
Background
Reap primarily offers two products: Reap Pay and Reap Collect.
Reap Pay allows users to initiate credit card payments in exchange for goods and/or services to third-party recipients’ bank accounts.
Reap Collect allows users to create custom web links that can be sent to third-party customers; in turn, these web links can be accessed via web browser to initiate a credit card payment directly to the user’s designated bank account.
Reap also provides a virtual card solution, with card issuance leveraged through third-party provider Global Processing Services (GPS). This card can be used to initiate transactions via Reap Pay and Reap Collect. For payment processing of its products, Reap uses Stripe.
Our Solution for Reap
Our Approach
We commenced the assessment by focusing on the scoping assessment. The key objective was to reduce the PCI DSS footprint, which in turn streamlines Reap’s compliance obligations; our efforts subsequently reduced the time and effort needed to achieve compliance.
The scoping exercise assisted in understanding which business processes and systems will form the scope of the PCI DSS. The payment-related processes, business processes, systems, technologies, people, and locations that form the scope of the assessment is also known as the Cardholder Data Environment (CDE). We provided recommendations on how Reap could potentially reduce the current scope of its CDE to reduce the burden of PCI DSS compliance.
Accordingly, we were able to achieve scope reduction and define an assessment scope which would make the assessment process efficient for Reap, and thereby resulted in cost savings for the first assessment as well as for ongoing maintenance. We then applied the scoping information gathered to define a compliance and an information security framework for Reap with a roadmap for compliance. As an immediate next step we helped define the security and governance related policies and processes for the framework – to provide oversight, define management responsibilities and ongoing operational activities to not only achieve compliance but also stay compliant. This also enabled assign key stakeholders their roles and responsibilities to upkeep the security and compliance of its platform.
Results:
Reap successfully achieved PCI DSS compliance, a global payment card security standard, highly regarded in the payment industry. This achievement attests that Reap stores, processes, and transmits CHD in compliance with this standard and maintains security of its CHD. As PCI DSS assessments are a yearly affair, the initial adoption of the standard will assist Reap in executing its built-up compliance framework. At the same time, this ensured Reap’s operational execution in maintaining security of its managed CHD, overall governance of security activities and continual adaptation to a changing business landscape while ensuring compliance and security requirements are met.What is PCI DSS?
Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS requirements are set by the PCI Security Standards Council (PCI SSC), founded and enforced by Payment Brand (through your acquiring bank/s). Payment Card Data Security Standard (PCI DSS) is the global data security standard that any business of any size must adhere to in order to accept payment by card and either store, process, and/or transmit cardholder data.
Learn more about PCI DSS and how Sekuro approaches it, here.
Sekuro #clientforlife
We work with you to provide flexible and practical solutions, so regardless of what comes your way, your business can keep moving forward.
We assign Qualified Services Assessors (QSAs) who are the right culture fit for your organisation and project.
We don’t just tick boxes – our professionalism, values and our work set us apart. Our QSAs have gained industry knowledge and efficiency through years of experience.
