PayGuard is a Level 1 PCI Compliant Payment Solution. We remove the stress of being compliant in a simple and affordable way. We also have many more benefits which you can find out about here or contact us for a free demonstration.
PCI DSS Compliance
Taking compliant card payments
If you need to know what the PCI DSS is, and whether you need to comply with it, take a look below. Here we delve into the detail and (hopefully) make PCI DSS Compliance simple!
Taking Payment By Card
If you want to take debit or credit card payments, you need to do so in a secure way. In fact, you are required to.
PCI DSS Compliance is compulsory for any organisation, anywhere in the world that transmits, process or stores card information.
What is the PCI DSS?
The Payment Card Industry Data Security Standard
PCI DSS is the information security standard defined by major credit card companies (Visa, Mastercard, American Express, Discover and JCB).
These standards exist to reduce fraud, and form part of the operating regulations that are the rules under which merchants (you) are allowed to operate merchant accounts.
PCI DSS Requirements
The payment standard has 12 high level requirements which fall into the six categories below:
Build and Maintain a Secure Network
- Install and maintain a firewall configuration to protect data
- Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Sensitive Data
- Protect stored data (use encryption)
- Encrypt transmission of cardholder data and sensitive information across public net
Maintain a Vulnerability Management Program
- Use and regularly update anti-virus software
- Develop and maintain secure systems and applications in a managed programme
Implement Strong Access Control Measures
- Restrict access to data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
Regularly Monitor and Test Networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
Maintain an Information Security Policy
- Maintain a policy that addresses Information Security
What If I Don’t Comply?
There are considerable Card Scheme fines associated with non-compliance following a data compromise; these can range from ten to hundreds of thousands of pounds. Many non-compliant merchants have ceased trading because the fines could not be accommodated.
- Loss of customer confidence
- Diminished sales
- Cost of reissuing new payment cards
- Fraud losses
- Higher subsequent costs of compliance
- Legal costs, settlements, and judgments
- Fines, penalties, and cost of forensic investigation
- Termination of ability to accept payment cards
- Lost jobs (CISO, CIO, CEO and dependent professional positions)
- Going out of business
How do I become PCI compliant?
In a nutshell, there are 4 levels that relate to the volume of card payments and how you take card payments. Payments can be online, over the phone, or in-store, with Level 1 being the highest volume or received payments.
Level 1 applies if you take a lot of payments (six million annually), and Level 4 applies to e-commerce merchants taking fewer than twenty thousand transactions annually, or non-ecommerce merchants processing up to one million payments each year.
Common PCI DSS Compliance Myths
There are many incorrect assumptions out there, and here are just as few:
I don’t take payments over the phone, so it doesn’t apply to me.The PCI DSS applies to card payments over all channels, including in store and online.
I don’t record telephone calls, so I am compliant. In this case you have met a single requirement out of hundreds. This alone does not make you compliant.
I pause the call recording which makes us compliant. Manual ‘pause and resume’ is not compliant. Automated ‘pause and resume’ still leaves your entire network in scope, along with your staff. Chances are you are not compliant.
Common PCI DSS FAQ’s
How do I get PCI DSS compliance?
Get in touch with us and we can provide an initial assessment free of charge.
What does PCI DSS stand for?
Payment Card Industry Data Security Standard
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is the information security standard defined by major credit card companies (Visa, Mastercard, American Express, Discover and JCB).
What is PCI DSS compliance?
This means the extent to which you comply with the requirements of the Data Security Standard, ensuring customers’ card information is protected.
What is PCI DSS standard?
The PCI DSS is issued by the Security Standards Council (PCI SSC), and is updated from time-to-time. You can find a copy of the latest version on their website https://www.pcisecuritystandards.org/
Is PCI DSS compliance mandatory in the UK?
Yes. It is mandatory worldwide.
How do I get PCI DSS certified?
This depends on how many payments you take, and how you take those payments (online, over the phone, in store). You may need to have the parts of your network that are â€˜in scope’ scanned each quarter by an Approved Scanning Vendor, complete an Attestation of Compliance form and complete one of several Self-Assessment Questionnaires. Get in touch and we can provide a free assessment.
What is a PCI DSS self assessment questionnaire?
Known by the acronym SAQ, a Self-Assessment Questionnaire is a form that you complete in which you indicate that you are complying with each requirement of the PCI DSS you need to comply with.
What is PCI DSS level 1?
There are 4 levels, and level 1 relates to any Merchant that processes more than six million transactions annually via all channels, or as identified as level one by any Visa region. Level 1 Merchants are required to complete quarterly network scans by an ASV (approved scanning vendor), and are required to undergo an annual ROC (Report on Compliance) completed by a QSA (Qualified Security Assessor)
Taking PCI Compliance over the phone payments?
It’s really tricky to be compliant with the PCI DSS requirements if you are taking payments over the phone without using an application like PayGuard.
PayGuard® PCI DSS compliance solutions removes your staff, your network, and your business from scope of the PCI DSS when taking phone payments, making annual compliance a synch and keeping your customer information secure.