Back to overview

It is official, as of 14-5-2019, Sqills is PCI-DSS level 1 certified. But what does this level of certification mean for Sqills, for our product, for our customers? We go in-depth into the why of PCI.

Data privacy, data security, and fraud prevention, these factors will become even more important as more and more business shifts online. We are reminded on an almost daily basis that companies must have the right type of security procedures in place. As a reminder, we only need to look at the situations related to the alleged ASML intellectual property theft and the controversy surrounding Chinese multinational Huawei. Safeguarding consumer information has to be taken seriously.

As the developers of S3 Passenger, the world’s leading inventory, reservation and distribution platform for rail and bus operators, Sqills understands we have an active role in ensuring we mitigate these risks for our clients’ mission-critical platform.

Sqills has previously demonstrated a dedication to safeguarding our data as much as possible by first becoming ISO 9001: 2013 and ISO 27001:2015 certified. These were two initial key factors to implementing and maintaining controls related to data security and data privacy.

Why become PCI Compliant?

As previously mentioned, Sqills’ management system was already ISO 9001:2015 (quality) and ISO 27001:2013 (information security) certified. Even though Sqills does not process any financial transactions (these are processed through the Payment Service Providers connected to S3 Passenger), it is still important to adhere to these strict guidelines set forth by the PCI-DSS level 1 certification.

Our operators need to adhere to specific requirements from their banks. If Sqills were not PCI compliant, it would mean that each individual operator would have to audit Sqills to comply with the rules and regulations set forth by the operator’s bank. By becoming PCI compliant, it offers an added layer of security and peace of mind for our operators, both our current operators and future prospects.

What does PCI compliance mean?

The leading payment processors (Visa, American Express, JCB, and MasterCard) came together in 2006 to establish a set of security standards. The goal was to protect consumers’ sensitive data and help reduce credit card fraud. The result was the PCI DSS – the Payment Card Industry Data Security Standards. This comprehensive set of standards applies to any organisation that stores, transmits, or accepts cardholder data.

This means that Sqills must adhere to the data security standard that acquirers (S3 Passenger operators) and their service provider (Sqills as SaaS-provider) must follow to make sure that cardholder data provided by cardholders is protected. This cardholder data is the combination of data that can be used to make a credit or debit card payment.

Level 1 Service Provider requirements

These are service providers that store, process, or transmit more than 300,000 credit card transactions annually.

PCI Requirements validated

  • Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA)
  • Quarterly network scan by an Approved Scanning Vendor (ASV)
  • Penetration Test
  • Internal Scan
  • Attestation of Compliance (AOC) Form

How is Sqills PCI compliant?

S3 Passenger transfers encrypted cardholder data from the client to the payment service provider. For PCI compliance, the focus is not just on the software itself, but on our toolset and procedures that we use to develop and operate S3 Passenger as a Service. These are the basis of the PCI compliance for Sqills.

One of the things I am most proud of is the fact that Sqills management decided to go for as broad a scope as possible when it comes to PCI Compliance. Factually, the only things that are not included within our PCI Compliance scope are our laptops and the internet. Everything else is included. While casting a net this wide obviously meant more work for us, it also shows that we believe in our methodology. I think it highlights both the resourcefulness and perseverance of both the software and the people who work on developing and maintaining it.

Herold Peijs - Chief Information Security Officer

What does this mean for existing Sqills’ partners?

For existing Sqills’ partners, obtaining our PCI certification will not change anything. It simply means that the software security and our methodology are certified safe. No changes need to be made to the existing S3 Passenger suite to ensure it is PCI compliant. Our customers can continue to use a mission-critical solution that meets the highest data security standards.

Obtaining our certification is another example of Sqills’ ongoing commitment to innovation, ensuring that we remain ahead of the competition, and providing the best possible platform on the market.

Do you have any additional questions about PCI?

If you have any additional questions in relates to Sqills’ PCI compliance, please feel free to email herold.peijs@sqills.com. He is able to answer your questions in relates to PCI compliance.