What is ‘PCI DSS’?
PCI DSS is an abbreviation for Payment Card Industry Data Security Standard. Organisations processing, storing and/or transmitting credit card details must be PCI-DSS compliant. Compliance is achieved by undertaking two tasks, depending on your transaction volumes. These tasks could include an annual on-site audit, a quarterly vulnerability scan or a self-assessment questionnaire.
What is required to be PCI DSS compliant?
PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If a PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply. Therefore, if your company stores or transfers the PAN (Primary Account Number) which is usually the 16 digit credit card number itself in any way, even if it is only to transmit it directly to a ‘real time’ payment gateway, or perhaps to store it in some way, then your business must be PCI DSS compliant certified in its own right. The applicable PCI DSS criteria is as follows:
- Level 1 – Visa and MasterCard World Wide transactions totalling 6 million and up, per year, and any merchants who have experienced a data breach.
- Level 2 – Visa and MasterCard transactions totalling 1 million to 6 million per year.
- Level 3 – Visa and MasterCard e-commerce transactions totalling 20,000 to 1 million per year.
- Level 4 – Visa and MasterCard e-commerce transactions totalling 1 to 20,000 per year.
What is included in Cardholder Data?
At a minimum, cardholder data contains the full PAN. Cardholder data may also appear in the form of the full PAN plus any of the following:
- Cardholder name
- Expiration date
- Service Code
What are the benefits of being PCI DSS compliant?
By being PCI DSS compliant, you will protect your three most important assets, your brand, your customers and your cash flow. You will benefit by:
- Managing risk around identity theft and credit card fraud
- Boosting customer’s confidence in your security
- Increasing protection of customer’s data
- Avoiding penalties/fines imposed by banks or card companies
- Staying competitive in the market place
- Reducing the risk of negative cash flow impacts
These requirements can seem daunting and overly technical at first. IP Solutions provides end to end ecommerce consultancy and security remediation services and we have years of experience in this area so contact us to simplify your PCI DSS journey.
What are the deadlines for complying with PCI DSS?
Compliance is mandated by the payment card brands and for most merchants, the deadlines for validating compliance with the PCI DSS have already passed. You should check with your acquirer and/or merchant bank to check if any specific deadlines apply to you, based on merchant transaction volume (level) as determined by the card payment brands.
How do I know if PCI applies to my business?
If your business accepts credit cards, whether over the internet or on paper, then PCI applies to your business. The general rule states that if you process, store or transmit cardholder data then you must adhere to the Payment Card Industry Data Security Standard v2.0 (PCI DSS v2.0) which prohibits maintaining credit card information in multi-tenant environments. The PCI Security Standards Council (PCI SSC) has officially released the PCI DSS v3.0 compliance standards, but much remains to be done before merchants, service providers and the auditors will know how the new mandates will impact the payments industry. Keep checking our website to stay up to date.
How do I prove to my bank or my customers that my business is PCI compliant?
Depending on the number of transactions performed annually, Merchants and Service Providers must conduct quarterly vulnerability scans and either fill out a Self-Assessment Questionnaire or have a Qualified Security Assessor (QSA) audit the business entity against the PCI DSS.
If I use a payment processor for all of my credit card processing and storage do I still have to comply with the PCI DSS?
As a merchant and the owner of the credit card merchant facility, in most cases yes. Contact your acquiring bank to determine their expectations of your business. If you are not PCI DSS Compliant remember IP Solutions provides a PCI DSS Certified payment processing solution that can be customised to meet your unique business requirements.
What is the PCI DSS Attestation of Compliance?
Your company must attest that it is complying with the Data Security Standard annually, if it handles credit card data electronically. This involves delivering a package of two or three items:
- Self-Assessment Questionnaire
- Regular network or web site scanning by an Approved Scanning Vendor (may not be required in some cases) and a Report on Compliance by a Qualified Security Assessor (only needed by the very largest companies)
- Attestation of Compliance
There are 5 versions of the Attestation of Compliance, just as there are 5 versions of the Self-Assessment Questionnaire. If you qualify to use version A of the Questionnaire, use version A of the Attestation, etc.
What can happen if I choose not to comply with the PCI DSS?
If you choose not to comply with the PCI DSS then you risk:
- Potentially being fined by your acquiring bank
- Potentially being restricted from accepting credit cards as a payment method
- Greater risk of potential financial loss arising from security incidents
- A system compromise, may potentially result in fines and/or restrictions. Whilst data breach reporting is not mandatory at this stage the OIAC does have powers to fine organisations for not adequately safeguarding client’s personal information.
What do I need to consider regarding mobile devices and tablets for employees in a store environment, as it relates to PCI compliance?
One of the key things is to determine what the devices are going to be used for and whether or not they’ll be used to process transactions or have any payment card data processed through them or stored on them. If so, they will fall into scope for PCI compliance. Even being on the same network as systems that store, process or transmit payment card data will bring these devices into scope. While the PCI guidelines might not have specific requirements yet for every aspect of mobile applications and devices, they are clear around keeping cardholder data protected, wherever it may be.
This is such a new area for many merchants that they aren’t properly addressing security issues or updating their employee guidelines or policies to deal with them adequately. You can’t take it for granted that employees will know what to do in a given situation or think about the ramifications of bringing their own devices into retail or working environments. Make them aware of the need for compliance and why it’s important to customers and to the business.
What is tokenization?
Tokenisation, in its simplest form, is another way of saying ‘data substitution’. It is the act of using a substitute value, or ‘token’, which has no inherent value, in the place of data that does have value. That way, if the system using tokens is compromised, it is the tokens that are taken, not the actual valuable data. Tokenization works by taking the original data value and generating a substitute value, usually with a random number generator. The mapping between the original data and the token is maintained in a secure database. Obviously, with tokenisation, it is imperative to protect the database that contains the mappings between the original data and the tokens.
If I implement a tokenisation solution, am I still required to comply with PCI DSS?
Yes. However Tokenisation has the ability to significantly reduce the scope and ongoing costs of PCI DSS compliance, thereby reducing time and money spent on securing the network environment on a day-to-day basis. However, according to the PCI DSS standard, every merchant must still validate their compliance and maintain compliance.
What is managed network security?
Managed network security services are third-party service providers, solution providers or value-added resellers that can be hired to outsource tasks or processes related to network security. Outsourced responsibilities often include device management, monitoring and remediation; email security, including anti-spam, anti-malware and IP filtering; network intrusion detection and prevention; asset classification and change management; data leak protection, and the creation of access control policies.
What kinds of functions are performed as part of network management?
Functions that are performed as part of network management include:
- Controlling, planning, deploying, and monitoring the resources of a network
- Network planning
- Configuration management
- Fault management
- Security management
- Patch management
Where is my customer data held? Is it stored overseas?
No, server infrastructure is housed within a number of Tier III standard (or higher) data centres. These data centres offer world class facilities including temperature and humidity controls, earthquake protection and advanced fire control systems. The facilities are monitored 24 hours a day, 7 days a week, 365 days a year with multiple security layers including guards, CCTV, photo access cards, “man traps” and locked server cabinets. They are serviced by fault tolerant and redundant power systems encompassing dual council power supplies and Uninterrupted Power Supply (UPS) filters with back-up diesel generators.
How do I administer my transactions?
Please login to the IP Solutions administration portal with your nominated user name and password. If you have forgotten your details you can retrieve your details via the login page forgotten details retrieval facility. (https://www.ippayments.com.au/crm/logon.aspx?x=ipsi)
Alternatively email support at firstname.lastname@example.org
How do I pay my invoices by Credit Card?
To pay your invoice by credit card click here. Please note a surcharge of 1% applies to credit card payments.
I need your help, what do I do next?
Simply call IP Solutions on 1300 975 630 and have a chat to one of our consultants. We will determine what the next steps for you should be.