Are you PCI Compliant?
For any business that processes card payments, PCI Compliance is now a hugely important part of ensuring your daily processes are secure. Here at Suresite, we are committed to helping all our customers achieve this standard of compliance and improve data security. To do this, we’ve put together a list of all the questions on PCI you might have.
After reading this, we highly recommend your next steps are to begin preparing your business for compliance by following the steps in ‘What Can I do to Prepare?’
What is PCI DSS?
PCI DSS stands for Payment Card Industry Data Security Standard. It came about due to critical awareness that fraud and identify theft were on the rise. In response, a federation of companies led by MasterCard Worldwide and Visa International set out to establish consistent data security measures for merchants, banks, and service providers. This resulted in the multifaceted security standard known today as PCI DSS. It includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures.
Due to our evolving society, there are growing threats to customer payment information. In order to combat against these, the requirements are updated by the PCI Council in the form of version control. The latest version of PCI DSS is v3.2.
For more information about the current PCI DSS, you can visit the PCI council website here:
Assuming your company works to the requirements of the PCI program, it can maintain ongoing integrity of the security of cardholder data on behalf of all its customers.
Does this apply to me?
Visa and MasterCard require all merchants who accept payment cards to be compliant with PCI DSS. Compliance also forms part of the terms and conditions of your Merchant Agreement with your acquiring bank. PCI DSS outlines four levels of compliance and these are governed by the number of card transactions a business takes on an annual basis. The scale ranges from Level 4 merchants processing up to 1 million card transactions per year to Level 1 merchants who process over 6 million. Small and medium sized businesses, such as those within the Suresite network will require PCI DSS level 4 compliance.
Why is it Important?
PCI compliance is not a legal requirement, but nonetheless is of high importance. Those who do not comply may be subject to fines, card replacement costs, costly forensic audits and brand damage. The principles and accompanying requirements of PCI DSS such as implementing a secure network, regular monitoring and testing, mean that there is less risk of fraudulent use. Being compliant is proof to your customers that their data is in safe hands.
Attaining compliance can require a considerable investment in time but this is considered justifiable when you take into account the benefits it provides.
Furthermore, once you have reached certification, there is relatively little effort in maintaining it.
How do I become PCI DSS compliant?
As a Level 4 merchant, you will be required to complete and pass an annual Self Assessment Questionnaire (SAQ).
Depending on your card processing setup, you may also be required to perform and pass quarterly network vulnerability scans.
Any third parties used in the storage, processing or transmission of payment card holder data are also required to be PCI compliant and your knowledge of this will need to be declared as part of the validation process.
What is Suresite doing to help?
Suresite have been working directly with our acquirer and their security partners, to ensure the process of becoming compliant with the PCI DSS is made as simple as possible.
A purpose built web portal service, has been designed to help you reach, record and maintain your compliance.
When you receive the registration documents for the portal, simply follow the instructions within this documentation to validate your compliance status online.
What can I do to prepare?
There are a number of simple steps that you can take to improve your data security:
- Create and maintain an Information Security Policy
- Create employee data security training materials and conduct any necessary training
- Avoid storing full payment card holder data unless there is a specific business requirement ie: merchant receipt copies.
- Create and test an Incident Response Plan
- Obtain written agreements from Service Providers concerning their handling of card data
- Verify that the devices you use are on the list of the approved devices, published by the PCI council click here to verify. If your device is not on the list, it may be expired and you will need to look into upgrading before you can become PCI compliant.
To assist you with this preparation, templates of some documents can be provided upon request and will soon be available for download on our Customer Web Portal. These templates should be used as a guideline and adapted according to your own business model.
We also highly recommend the following website hosted by the PCI Council specialising in PCI guidance for smaller merchants. This link contains downloads for 4 useful documents, click here to access:
- Guide to Safe Payments
- Common Payment Systems
- Questions to Ask Your Vendors
- Glossary of Payment Terms
Will I have to pay?
As with any acquirer, there are costs associated to PCI Compliance. There will be a small monthly fee for the use of the portal which will enable you to achieve compliance. This cost covers expert PCI DSS help and support from a dedicated helpdesk team. If you do not complete your PCI compliance within 3 months, an additional non-compliance fee will be charged until you reach compliance.