This document aims to help provide you with answers to some common questions about PCI DSS compliance. For the latest up to date information about PCI DSS please refer to
https://www.pcisecuritystandards.org
What is PCI DSS?
PCI DSS is a set of requirements for enhancing payment data security. It was developed by the PCI Security Standards Council, including companies such as American Express, MasterCard, Visa and others to help deliver the broad adoption of consistent data security measures on a global basis. The Council also has responsibility of enhancing the PCI DSS to ensure that the standard includes any new or modified requirements necessary to mitigate
emerging payment security risks, while continuing to foster wide-scale adoption.
[su_divider]
Who has responsibility for PCI?
Responsibility is with the merchant and the card acquirer. Your acquirer will contact you at some point to check your compliance. Compliance is mandatory for all merchants who either Store, Process, or Tansmit ‘cardholder data’ for example handling cards, taking details via the phone, on paper or other methods. Companies such as Intelligent Retail, Commidea or SagePay are not responsible for your compliance.
[su_divider]
How is “cardholder data” defined?
Cardholder data is the full Primary Account Number (PAN) plus any of the following: Cardholder Name, Expiration Date, Service Code. The PAN is the 13-16 digit number that you see on the payment card itself. A truncated number (XXXXXXXXXXXX1234, where X represents missing data) is NOT considered a PAN. The PCI DSS applies to any
businesses that store, process, transmit or have access to cardholder data.
[su_divider]
Who are Intelligent Retail’s Payment Service Providers and are they Compliant?
Intelligent Retail partners with fully PCI compliant Payment Service Providers (PSPs) for you to manage card payments and cardholder data. Intelligent Retail itself is not a Payment Service Provider (defined by PCI as any company that stores, processes, or transmits cardholder data on behalf of another entity) and has no plans to be one, our policy is to outsource these activities. The companies we selected are expert in their fields, they look after the storage, processing and transmission of cardholder data and as such provide compliant services for Chip and Pin and Online Payments. These PSPs are detailed below:
- Commidea (Chip and Pin): PCI Compliant.
- SagePay (Online Payments):PCI Compliant Level 1 Payment Service Provider (Certificate)
- PayPal (Online Payments): (Information on compliance)
- WorldPay (Online Payments): PCI compliant.
- HSBC (Online Payments): PCI Compliant.
[su_divider]
I am a small merchant who has a small number of transactions per month. Do I need to be PCI compliant?
Whether small or large all merchants need to be PCI compliant.
[su_divider]
I have been asked to fill in a form by my bank, what do I do?
We have had several retailers ask us to help them fill in forms. We cannot answer the questions for you but have provided a helpsheet “PCI Compliance – IR Responses to SAQ C” to lend a helping hand in the most common form that our retailers are asked to complete (SAQ-C). If you have questions about PCI compliance and filling in forms you should talk to your Payment Service Provider (PSP) who should be able to help.
[su_divider]
Do I need a scan of my website?
If you use a payment service provider (PSP) where all payment card details are captured at the PSP’s website, a security scan at your own website is not required for PCI DSS compliance. However a scan of your website can provide added security and some banks may ask for it. If you do scan your website, it does not mean that you are fully PCI compliant as there is more to PCI compliance than just a scan. This is why Intelligent Retail use approved PSPs. On the request of some acquirers, Intelligent Retail has teamed up with Security Metrics and Vulnerability Scans for our customers upon request.
[su_divider]
Am I really PCI complaint?
Full compliance is when you would pass a proper audit of the standard. This is extremely hard for a small company to achieve unless a compliant Payment Service Provider (PSP) is used. Larger companies can invest sums of around £250,000 in PCI compliance. Very stringent rules apply which are difficult for small companies to adhere to. This is why it is better to rely on PSPs like SagePay to ensure compliance.
[su_divider]
Where do I go for more information?
Your Payment Service Provider can provide more information, as can your bank. There are also companies that are accredited to the PCI Security Standards Council and have Qualified Security Assessors (QSAs) that will offer expert consultancy should you need it. Here is a link to the accredited organisations:
https://www.pcisecuritystandards.org/qsa_asv/find_one.shtml
[su_divider]