Is PCI-DSS A-EP/D certification realistic for a small startup?
Hi, we are the start-up based in South Korea.
We recently collaborated with Korean payment processing companies to develop a hosted payment processing product for users of no-code builders (such as Bubble, Webflow, and Framer).
However, the systems of existing payment processing companies are outdated, and while they require customers to install "security software", these programs actually offer lower security. Therefore, we developed our own UI and system capable of securely processing card information. Although we developed this system entirely in-house, it integrates with the payment processing companies' backend systems.
Since we developed and operate the system ourselves, the scope is not very large, but we anticipate needing PCI-DSS A-EP or D certification. Given that we are a very small startup with limited available funds, is it unreasonable to expect to obtain PCI-DSS certification?