PCI DSS – FAQ

As PCI DSS is such an important aspect involved with accepting payments online we have put together some FAQ’s to help you with any questions you may have.

Why do you need to bother with PCI DSS?

Compliance with data security standards can bring major benefits to businesses of all sizes, while failure to comply with standards can have serious and long-term financial and reputational consequences for your business.

You may find it helpful to look at the Payment Card Industry’s own review of the advantage of PCI DSS compliance on its website.

What do you have to think about?

The PCI DSS website sets out what you need to do to get started. We recommend you read this in detail together with any other information that has been supplied to you by your Acquirer. The enforcement of PCIDSS compliance rests with the Card Schemes but the Payment Card Industry identifies three stages in the compliance process:

• Assessment
• Remediate
• Report

Do I need to complete the assessment forms?

Yes. You have to complete the assessment forms within 14 working days of your IMA & Payment Gateway going live. If you fail to complete the forms within that time scale and/or fail to be PCI DSS compliant within 3 months of your IMA & Payment Gateway going live you may be subject to charges from the Schemes, your acquirer and/or PayPoint.net. PayPoint.net imposes these charges as it is a PCI compliance service provider and must ensure it processes data from a PCI compliant source. For details of PayPoint.net charges please see your Schedule or email us. Please note PayPoint.net’s charges only apply if you are not already PCI DSS compliant.

Do I need to arrange for scans?

The remediate process set out by the Payment Card Industry includes the requirement for you to scan your network with software tools that analyse infrastructure and spot known vulnerabilities. This is referred to as an “Approved Scanning Vendor (AVS) Program”. PayPoint.net conducts scans of its own network but you still need to complete scans for your own network if you have a Gateway Freedom +IMA account. Your contract with PayPoint.net also includes this obligation.

To help you with this PayPoint.net has arranged for TrustWave, a leading PCI DSS validation solution, to offer its services to all PayPoint.net merchants. The charges for the TrustWave service as well as registration information are available on the Trustwave portal.

It is requirements for your business to have scanning arrangements in place. You are free to use an alternative service provider to TrustWave , although you may be subject to additional charges from PayPoint.net due to the administrative costs associated with using other providers.
If you do not have any adequate scanning process in place for your Gateway Freedom +IMA account you may be subject to additional charges by PayPoint.net. Failure to have an adequate scanning process in place is a breach of your agreement with PayPoint.net.

What is the reporting requirement?

This is where you need to compile records required by PCI DSS to validate remediation and submitting compliance reports to the acquiring bank and global payment brands you do business with.

Isn’t this really just an issue for PayPoint.net rather than the merchant?

PayPoint.net is an accredited level 1 PCI DSS compliant service provider. When using PayPoint.net the main burden of the PCI DSS compliance obligation falls to PayPoint.net when it is holding cardholder data, but PCI DSS compliance applies to the merchant as well as the service provider. There are still things you have to do. For example, if you hold cardholder data you are responsible for it and for the PCI compliance. You should review your own status with your PCI assessor (Qualified Security Assessor) if you have one or via your self assessment questionnaire. You are also still responsible for the assessment and reporting, even if you use PayPoint.net’s services.

• If you have a Virtual Terminal +IMA or a Gateway Hosted +IMA you must complete a Self-Assessment Questionnaire (SAQ) every 12 months.
• If you have a Gateway Freedom +IMA you must complete a Self-Assessment Questionnaire (SAQ) every 12 months and complete quarterly vulnerability scans.

Further information on which validation type applies to your business can be found on the PCI website.

What is PayPoint.net’s role?

PayPoint.net is happy to confirm that, in accordance with its obligations as an accredited PCI DSS service provider, it is responsible for securing Transaction Data that is solely in the possession of and under the control of PayPoint.net. PayPoint.net complies with PCI DSS, which sets out the industry standards for maintaining a secure environment. A copy of PayPoint.net’s PCI DSS compliance certificate can be found here or may be provided to the Merchant by contacting PayPoint.net's merchant support via the contact details displayed on the PayPoint.net Extranet.
This statement is in the process of being added to PayPoint.net’s current terms of business which can be seen on our legal pages.

What if I need more help?

Trustwave (or your selected PCI DSS assessor) is your primary source of information in regards to your own position and the status of your systems. However, if you need general information on PayPoint.net’s accreditation please email askaboutcompliance@paypoint.net.