Regardless of the business sector, customers value flexibility when it comes to processing payments for services and products. A leading German automotive manufacturer was therefore faced with the challenge of implementing a secure and efficient solution for processing and storing credit card data. The globally approved security standard PCI DSS had to be complied with. Together with two specialized service providers, usd AG mastered this challenging task and proved how a complex project can be successfully implemented through close cooperation between four parties.
From development to the secure processing of payments
For this project, the German car manufacturer relied on the combined strength of three service providers under its own supervision: Exxeta AG und QaiWare for the technical development and usd AG for consulting on the PCI DSS-compliant implementation of the solution. In order to give customers direct access to digital payment methods in the automotive manufacturer's web stores, apps and e-commerce portals, the project team had to add a PCI DSS-compliant component to the existing Payment Gateway (PGW) developed by Exxeta: a so-called Card Data Repository (CDR). The application is responsible for capturing card data from end customers by providing a secure payment form to merchants and securely storing the sensitive data. It provides merchants and integrators with card tokens that can be used for payments, ensuring their systems are not exposed to sensitive data, in accordance with PCI DSS.
As the software developer, QaiWare was responsible for developing the application for this CDR.
„Building the CDR application was challenging due to the short time frame and required the experience and know-how accumulated within the company—not only in the payments domain, but also in the automotive sector.“
Plamen Pobornikov, Product Owner, QaiWare Ltd.
The CDR is operated in a cloud environment, set up by Exxeta as the technology service provider.
Setting up the environments in a reproducible, scalable and PCI-compliant manner with Infrastructure as Code (IaC) in the customer account was quite a sporting achievement in the given time.
Julian Stücker, Lead Consultant, Exxeta AG
Raphael Heinlein, certified QSA at usd AG, ensured that both the application and the cloud infrastructure were in compliance with PCI DSS and provided support in preparing all processes and guidelines for the PCI DSS audit.
Great communication as a project booster
At the start of the project in the first quarter of 2024, all parties involved were already clear about the common goal: Completion of the PCI DSS audit by the end of 2024. This meant that both the application and the cloud-based infrastructure had to be completed by the beginning of the fourth quarter of 2024. An ambitious work schedule for all stakeholders - while meeting the highest standards of quality and diligence.
The more parties involved in a project, the more dependencies and interfaces that need to be taken into account. This made the regular coordination meetings with all parties all the more crucial to the success of the project. They laid the perfect foundation for good cooperation. Thanks to the high level of technical expertise on all sides and careful adherence to the tight schedule, the competent implementation of the PCI DSS requirements was achieved on time by the audit date in the fourth quarter of 2024.
Successful audit according to PCI DSS v4.0.1
PCI DSS certification was scheduled for the end of 2024. A team of auditors from usd AG, who were independent of the project, thoroughly examined the implemented Card Data Repository. The team confirmed that the developed solution meets all PCI DSS v4.0.1 requirements. This means that the automotive manufacturer's customers now have a standardized and secure interface for all credit card payments.
An exciting project, which was very challenging due to the short time frame of less than a year and many dependencies and interfaces. However, thanks to the great and extremely competent cooperation between Exxeta, QaiWare and usd AG, the CDR extension for the PGW was completed on time and certified in accordance with PCI DSS. A great success and contribution to greater security from the entire project team.
Raphael Heinlein, Managing Consultant IT Security, usd AG
Continued successful cooperation
Following the successful completion of PCI DSS certification, usd AG will continue to support the automotive manufacturer with possible changes or extensions to the solution. Under the supervision of the car manufacturer, Exxeta will also remain responsible for operations and will therefore continue to coordinate further development on behalf of the automotive manufacturer. Both companies are already working together towards the annual PCI DSS re-certification, which is expected to take place again at the end of 2025 by usd AG's auditors.
