The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards which ensures that all companies who accept, process, store or transmit credit card information do so in a secure environment. The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 07th 2006 to manage the ever-growing Payment Card Industry and the security standards involved. It was created by the major card brands Visa, MasterCard, American Express, Discover and JCB to administer and manage PCI DSS. Primarily established to prevent financial fraud, the PCI DSS protocols serve to insure customers are less vulnerable to theft.
How can my business become PCI compliant?
The Self-Assessment Questionnaire (SAQ) is a validation tool intended to assist merchants and service providers in self-evaluating their compliance with the PCI DSS. Depending on the acceptance method and the amount of transactions you process this will determine which questionnaire you are required to complete. There are three main categories for our merchants:
Are you a Worldnet eCommerce customer?
Merchants who only process payments using eCommerce. This is divided into two sections:
SAQ-A: This questionnaire relates to merchants who take payments on their website and use their service providers hosted payment page to accept the card details. When the customer is prompted to enter their card details they are re-directed to a secure payments page provided by their PSP. This takes major requirements off the company and onto their PSP as the company itself does not process or store the card details. Worldnet’s biggest example of a merchant who uses a hosted payment page would be The Guinness Storehouse. They use an iframe which is inbuilt into their website making the payment process seamless and easy for their customers. This questionnaire is the simplest of them all as it is the least risky for a company.
SAQ-D: This questionnaire relates to companies who take payments on their own website. As it is their responsibility to ensure the safety of all card details they are accepting, they are required to implement additional procedures and processes. There are over 100 requirements for someone who takes payments on their own website, along with the added cost of various network scans that must be completed every few months. This is by far the riskiest method of accepting payments.
Please note there are other questionnaires that may apply to you if the method in which you accept transactions differ from the above two sections.
Are you a Worldnet Virtual Terminal customer?
Merchants who only process payments using a Virtual Terminal.
SAQ C-VT: This questionnaire relates to merchants who use an internet-based Virtual Terminal, such as the Worldnet one. It checks that Virtual Terminal merchants do not write down or store any of the card details they are accepting over the phone. Again this is a very lengthy questionnaire as it is a higher risk to data security. Worldnet’s Virtual Terminal offloads the majority of our merchant’s problems as they have no permanent access to card details making it safer for our merchants in terms of liability. Using Worldnet’s SecureCard facility, every card detail is tokenised, giving the merchant and their customers an added layer of security to protect against theft or fraud.
SAQ-C: This questionnaire relates to merchants with payment application systems connected to the internet. Worldnet’s biggest example of this would be our Relay integration. Our software is in-built into their system which is connected by the internet making the payments process effortless for our Insurance merchants. The cardholder does not have permanent access to cardholder data, thus the questionnaire takes this into account and is less extensive compared to others.
Are you a Worldnet Mobile Customer?
Merchants who only process Mobile POS payments.
As of yet there is no PCI DSS guide for Mobile POS transactions. This does not mean these merchants are free of their PCI obligations. They are advised to refer to the SAQ C-VT questionnaire as there are similar requirements or contact the acquiring bank/ PCI provider and they will advise which questionnaire too complete. A guide for Mobile POS is expected in the upcoming year.
If merchants use two or more of these methods of payment transactions, they may need to complete a larger questionnaire to insure they cover the requirements for both acceptance methods. Or alternatively they may need to complete the two or more types of questionnaires to ensure they are PCI compliant. This is decided by the acquiring bank or PCI provider.
Larger companies will be assessed by a Qualified Security Assessor who has been assigned by their acquiring bank. Once the acquiring bank can identify which category the business fits into it is easier from there on to evaluate the requirements needed.
What does Worldnet’s PCI level 1 compliance mean?
Worldnet is PCI level 1 which means we process over 6,000,000 transactions a year. As this is such a high volume of transactions, we are subjected to an annual audit by Sysnet Global Solutions a cyber security and compliance management company. They complete various tests such as penetration testing, application vulnerability assessment, industry best practise test including data security and encryption, business practises, training etc. to ensure our systems and processes are fully PCI compliant. As well as this, because we are the highest PCI level we are also subject to network scans every quarter to ensure our networks and data storage is secure.
Fines for breaches of PCI DSS
Given that the PCI DSS has been a compulsory requirement for any business accepting card payments, the easiest and cheapest option is to remain compliant at all times. Whilst pricing options vary depending on the acquiring bank, breaches in compliance often see an increase in fees of up to 400% per month until the organisation validates their certificate.
For level 1 PCI compliance companies, such as Worldnet, fines for breaches of non-compliance would be as follows:
|1 to 3||$10,000|
|4 to 6||$50,000|
It is worth noting that even though a company is PCI compliant this does not mean they can never be breached. Compliance with PCI regulations will help to alleviate vulnerabilities. Nevertheless, it is still possible, however highly unlikely, that a breach may occur. If a company is PCI compliant this does not give them any legal protection if there is a breach and they will still be liable for damages as a result. PCI DSS is ever changing as newer technology is brought out, newer processes must be put in place. Merchants should always be aware of these updates and implement them or they could face charges for non-compliance.
If you require any more information about PCI compliance, please follow this link: https://www.pcisecuritystandards.org
Or contact Worldnet today to receive fully PCI compliant debit and credit card processing: http://www.worldnetmerchant.com/contact