PCI Compliance 3.1

By Multichannel

Security standard PCI Compliance 3.1 was released in April 2015. This detailed upgraded definitions for online and in-store data security. For a retailer this means two key differences.

Firstly, the self-assessment questionnaires that a retailer is obliged to complete have changed.

Secondly, the website scanning agencies such as Security Metrics and Trustwave etc. are now testing websites against this new set of standards.

PCI Self-Assessment

The following flow chart is an excerpt from the PCI Security Standards publication found here:

https://www.pcisecuritystandards.org/documents/SAQ_InstrGuidelines_v3-1.pdf

pciecomms

This flowchart is provided to help an online retailer assess which SAQ form will be needed. If you are using a Connect website provided and hosted by Intelligent Retail, then the payment pages would be using either a Sage Pay iFrame implementation OR a URL redirect to either Worldpay or Paypal. When using an iFrame or a url redirect to collect card holder data, then all aspects of card payment collection, processing, storage and transmission are carried out on a 3rd party server hosted by the payment service provider (i.e. Sage Pay, Worldpay, Paypal etc).
Both an iFrame and URL redirect implementations are referred to in the second box from the left which indicates SAQ-A as the appropriate form.

Note: This is for eCommerce sales only. For a bricks-and-mortar store or hybrid business further advice may need to be gained from one of the sources below.

Completing Form SAQ-A
As you will see, the types of questions on this form are not specific to the hosting environment. If you require assistance with completing areas of the form, there are three points of contact:

1) Your acquiring bank will be able to provide further advice to relevant questions.
2) Your payment brand (Sage Pay, Pay Pal etc) will be able to advise on questions related to their specific solutions.
3) A Qualified Security Assessor (QSA) is a certified professional who can assist in all areas of the PCI compliance process. You can verify these organisations here:

https://www.pcisecuritystandards.org/approved_companies_providers/verify_qsa_employee.php

Note: In all areas of the payment process Intelligent Retail does not collect, sort, process or transmit any payment card data. Intelligent Retail is not certified to provide guidance or advice on PCI compliance for your business.

[su_divider]