When we started building crypto cards, we knew the feature itself would be hard. What we didn’t know was that the paperwork would almost finish us first.
Let’s rewind.
A few months ago, we made the decision to bring Mastercard-powered crypto cards to Breet. Virtual and physical cards, funded by crypto, that you can spend anywhere. The kind of product that makes crypto feel like actual money in your hands, because, yunno, our motto is: Making crypto spendable.
We were excited, so we started building. And then one overzealous person from legal said the three letters that changed the mood in the room.
PCI DSS.
Actually, thatâs 6 letters.
If you don’t know what that is, here’s the short version: PCI DSS (Payment Card Industry Data Security Standard) is the global security certification that every company handling card data needs to have. Visa has it, Mastercard has it, your bank has it. If you want to issue cards and be taken seriously, you need it.
So we went for it.
The Part Nobody Warned Us About
Let me give you the tea as to what PCI DSS certification actually looks like from the inside:
You take everything you’ve built, every system, every process, every piece of infrastructure, and you hand it to auditors who will find every gap you didn’t know existed. Then you fix those gaps. Then they find more. Then you fix those too. Then they find moreâŠ..
Michael’s patience was tested in ways we didn’t think possible. As the engineering lead, he had to sit through rounds of reviews, rework systems that were already working fine (but not “PCI fine”), and answer the same questions framed differently across multiple audit cycles.
At one point, we’re fairly sure his eye started twitching during calls, when we asked him, he said âgoing to gym was what helped him through that periodâ.
And Funmi, our compliance lead, probably sent more follow-up emails during those months than the rest of the team combined for the entire year.
Every document had a document. Every policy had a sub-policy. Every sub-policy needed evidence, and every piece of evidence needed a timestamp. If persistence had a leaderboard, Funmi would be number one with a gap that’s almost disrespectful.
There were late nights, and Slack messages at hours that no reasonable person should be working. There were moments where we looked at each other and asked, “Is this really worth it?”
It Was Worth It
Because… We’re not building a side project. Millions of unit transactions passed through Breet last month. Real people trust us with real money every single day. And if we’re going to put a card in their hands with our name on it, the security behind that card needs to be airtight.
PCI DSS certification means our encryption, our access controls, our monitoring, our threat response, all of it has been reviewed and approved against the same standard that protects the largest payment companies in the world.
That’s what our users deserve. And now that’s what they have.
So, What Now?
The crypto cards are coming. We experienced some challenges, which prolonged the timeline, but thatâs a story for another day.
However, once they arrive, they arrive on infrastructure that’s been stress-tested, audited, and certified to the highest global standard for card security.
Michael is finally gaining his sanity back. Funmi is also recovering from the PTSD. And the rest of us can breathe again.
Until the next big thing, of course. You know how we are.
We stay building. đ
Read More of Our Stories:
- Our Office Is Fresher Than Yours, For Sure
- How Simple Can We Make It? The Mindset Behind Our Crypto API
