- What is PCI compliance?
- How does it affect you?
- Commonly held myths
- What do I need to confirm compliance?
- SAQ and Network Scans
- FAQ
:: What is PCI Compliance?
The Payment Card Industry Data Security Standard (PCI DSS) is a global security standard set by the PCI Security Standards Council. It applies to organisations that store, process or transmit cardholder information from any of the globally recognised card schemes, including Visa, MasterCard and American Express.
:: How does it affect you?
Since January 2005, more than 234 million records with sensitive cardholder data have been breached globally (Source: PCI Security Standards Council).
Following changes to Visa’s Account Information Security Programme, from 1st October 2009 all merchants processing less than 1 million transactions annually (Level 2, 3 and 4) must process via a PCI DSS certified provider, such as PayPoint.net, or provide certification of their own PCI DSS compliance to their acquirer.
If you process your online payments using PayPoint.net’s hosted payment pages your payment network already meets full PCI Compliance; you simply need to complete the Self Assessment Questionnaire A which can be found at https://www.pcisecuritystandards.org/saq/index.shtml. If you store, transmit or process any card holder data on your business network then you will need to have quarterly vulnerability scans done.
Regardless of how you process your online card payments, read on to find out what steps you need to take to ensure that your business is fully PCI Compliant.
:: Some commonly held myths
“I only process a small number of transactions so don’t need to be PCI compliant.”
False – All merchants, large or small, need to be PCI compliant.
“I only need to complete a self assessment questionnaire to become PCI compliant.”
False – if you are using your own payment pages, you will need to ensure that your systems are secure and will need to comply with the 12 PCI DSS requirements. If you are using the PayPoint.net payment page, you can take comfort in the knowledge that we have achieved full PCI compliance.
“I will get around to achieving PCI compliance when I have the time – it’s too much work.”
We would not recommend this approach. Our banking partners are required to report to Visa and MasterCard on all merchants, including those that are not compliant with no clear action plans to address any known issues. The fines that card schemes can levy for a non-compliant merchant are high. If you then experience a security breach on your own systems (where you are maintaining your own payment pages) daily fines can be levied and your ability to process card payments can be removed.
:: What do I need to confirm compliance?
The level of data you need to provide is largely dependant on the number of transactions you process each year.
|
Level
|
Criteria
|
Onsite Security Audit
|
Self-Assessment Questionnaire
|
Network Scan
|
|
1
|
|
 |
|
Scan required quarterly |
|
2
|
|
|
SAQ required annually |
Scan required quarterly |
|
3
|
|
|
SAQ required annually |
Scan required quarterly |
|
4
|
|
|
SAQ required annually |
Scan required quarterly |
For merchants that process using PayPoint.net’s payment pages, there is no requirement for a quarterly scan to be provided as this will be covered by our own Level 1 PCI DSS Compliance validation.
This is dependent on the fact that you don’t store, transmit or process any card holder data on your own business network if your website is hosted in a different location. To be sure you can email us on askaboutcompliance@paypoint.net for advice.
:: Self Assessment Questionnaire and Network Scans
In order to meet PCI Compliance your network needs to be scanned on a quarterly basis. In addition, Level 2, 3 and 4 merchants need to complete a Self Assessment Questionnaire (SAQ) on an annual basis. Level 1 merchants will require an annual onsite audit.
There are four different self assessment questionnaires but you only need to complete the one that’s applicable to your business:
- SAQ A
For merchants in a Card Not Present (CNP) environment where all cardholder data functions are outsourced – this applies to you if you process card payments using PayPoint.net’s payment pages - SAQ B
Merchants with standalone dial-out terminals only not connected to the internet and to any other systems and no cardholder data storage onsite - SAQ C
Merchants with POS systems connected straight to their service provider via the internet so no electronic cardholder data is stored onsite. - SAQ D
For merchants in a Card Not Present (CNP) environment where all cardholder data functions are initially processed internally.
:: How to obtain your SAQ
You can visit PCI Security Standards Council’s website access, download and complete the SAQ that’s relevant to your business.
It is very important to fully understand what the questions in the SAQ mean. The purpose of the SAQ (self assessment questionnaire) is that you can asses yourself (take responsibility) and validate that what is required by the questions in the SAQ is what you understand and have answered in accordance with the regulation. If you have any questions about the SAQ please email us rather than putting your business at risk.
:: FAQs
- I still don’t know which SAQ to complete
Just email us at askaboutcompliance@paypoint.net, quoting your account ID and advise if you store any cardholder data either electronically or in hard copy and we will call or email you back to assist wherever possible. Otherwise, get a professional Qualified Security Assessor (QSA) to help guide you through it.
- What shall I do if there is no one in the office that understands IT enough to complete the SAQ?
Get a professional Qualified Security Assessor (QSA) to help you through it. A list of these can be found at https://www.pcisecuritystandards.org/qsa_asv/find_one.shtml
Our PCI DSS Support Service Partner
PayPoint.net’s PCI DSS Support Service Partner is Sysnet.
Email askaboutcompliance@paypoint.net and quote 'Paypoint.net' to ensure that you receive the PayPoint.net Partner Benefits
