Getting PCI Compliant
- What is PCI compliance?
- How does it affect you?
- Commonly held myths
- What do I need to confirm compliance?
- SAQ and Network Scans
- How do i become PCI compliant?
What is PCI Compliance?
The Payment Card Industry Data Security Standard (PCI DSS) is a global security standard set by the PCI Security Standards Council. It applies to organisations that store, process or transmit cardholder information from any of the globally recognised card schemes, including Visa, MasterCard and American Express.
How does it affect you?
Following changes to Visa’s Account Information Security Programme, from 1st October 2009 all merchants processing less than 1 million transactions annually (Level 2, 3 and 4) must process via a PCI DSS certified provider, such as PayPoint.net, or provide certification of their own PCI DSS compliance to their acquirer.
If you do not comply with this industry standard then you are liable to incur substancial fines enforced by the card schemes and you could also find yourself being permanently banned from any further card processing.
(Since January 2005, more than 234 million records with sensitive cardholder data have been breached globally 'Source: PCI Security Standards Council').
If you process your online payments using PayPoint.net’s hosted payment pages your payment processing already meets full PCI Compliance, however you will still need to complete the Self Assessment Questionnaire which can be found on our Trustwave portal. If you store, transmit or process any card holder data on your own business network (an API solution) then you will also need to have quarterly vulnerability scans.
Regardless of how you process your online card payments, read on to find out what steps you need to take to ensure that your business is fully PCI Compliant.
Some commonly held myths
“I only process a small number of transactions so don’t need to be PCI compliant.”
False – All merchants, large or small, need to be PCI compliant.
“I only need to complete a self assessment questionnaire to become PCI compliant.”
False – if you are using your own payment pages, you will need to ensure that your systems are secure and will need to comply with the 12 PCI DSS requirements. If you are using the PayPoint.net payment page, you can take comfort in the knowledge that we have achieved full PCI compliance.
“I will get around to achieving PCI compliance when I have the time – it’s too much work.”
We would not recommend this approach. Our banking partners are required to report to Visa and MasterCard on all merchants, including those that are not compliant with no clear action plans to address any known issues. The fines that card schemes can levy for a non-compliant merchant are high. If you then experience a security breach on your own systems (where you are maintaining your own payment pages) daily fines can be levied and your ability to process card payments can be removed.
What do I need to confirm compliance?
The level of data you need to provide is largely dependant on the number of transactions you process each year.
|
Level
|
Criteria
|
Onsite Security Audit
|
Self-Assessment Questionnaire
|
Network Scan
|
|
1
|
|
 |
Scan required quarterly |
|
|
2
|
|
SAQ required annually |
Scan required quarterly |
|
|
3
|
|
SAQ required annually |
Scan required quarterly |
|
|
4
|
|
SAQ required annually |
Scan required quarterly |
For merchants that process using PayPoint.net’s payment pages (hosted solution), there is no requirement for a quarterly scan to be provided as this will be covered by our own Level 1 PCI DSS Compliance validation. This is however dependent on the fact that you don’t store, transmit or process any card holder data on your own business network if your website is hosted in a different location.
To be sure you can email us on askaboutcompliance@paypoint.net for advice.
Self Assessment Questionnaire and Network Scans
On an API solution, in order to meet PCI Compliance your network needs to be scanned on a quarterly basis. In addition, Level 2, 3 and 4 merchants need to complete a Self Assessment Questionnaire (SAQ) on an annual basis. Level 1 merchants will require an annual onsite audit.
There are four different self assessment questionnaires but you only need to complete the one that’s applicable to your business:
- SAQ A
For merchants in a Card Not Present (CNP) environment where all cardholder data functions are outsourced – this applies to you if you process card payments using PayPoint.net’s payment pages - SAQ B
Merchants with standalone dial-out terminals only not connected to the internet and to any other systems and no cardholder data storage onsite - SAQ C
Merchants with POS systems connected straight to their service provider via the internet so no electronic cardholder data is stored onsite. - SAQ D
For merchants in a Card Not Present (CNP) environment where all cardholder data functions are initially processed internally.
How do i become PCI complaint
Thanks to our partnership with Trustwave no matter what solution you choose for your payment page (either Hosted or API), TrustKeeper® will act as a centralised resource and provide a complete PCI solution for all of your compliance needs.
This includes access to all SAQ forms and (if needed) monthly network IP scans. In addition, you will also be provided with an intuitive PCI wizard which will inform you of the correct SAQ forms you will need to complete as well as providing you with a step by step guide through the whole PCI compliance process.
Please feel free to contact us on 0800 810 0136 if you have any additional questions
