Concerned about PCI Compliance? – CloudSpark can help your business

/, Security/Concerned about PCI Compliance? – CloudSpark can help your business

Concerned about PCI Compliance? – CloudSpark can help your business

Recent breaches against major retailers have put payment card industry (PCI) regulations in the spotlight. However, it isn’t only online companies and website that need to worry about PCI Complicance, the rules apply to every business that relies on credit and debit cards for transactions.

Even if your business employs two people and it conducts one credit-card transaction a month through a simple onsite PDQ machine, it must be PCI compliant.

Read our guide below on the facts of PCI compliance and check how your business needs to comply

What is PCI Compliance?

The Payment Card Industry Data Security Standard (PCI DSS) applies to every organization that processes credit or debit card information, including merchants and third-party service providers that store, process or transmit credit card/debit card data.

How do I become compliant?

PCI Compliance has two parts: a questionnaire about how you protect the card data you handle, and sometimes a software scan on your website, office and/or shop to make sure it is secure. The questionnaire and scan basically ensure you meet the list of PCI requirements, which include things like having a secure network, regular testing and a security policy.

The questionnaire has to be filled in once a year and sent your “acquirer” (the company which provides your merchant bank account – such as Barclays or HSBC merchant services). The scan should be done quarterly by an Approved Scanning Vendor (ASV) and is usually fully automated.

If you have multiple premises all taking card transactions then the process must be repeated for each individual site. All terminals (PDQ or Virtual Terminal on a PC) within your business must be compliant.

PCI Compliance questionnaires

Dependent on how your business operates there are different types of questionnaire that must be completed for PCI Compliance. Type A is less in depth than B and so on to the D questionnaire which requires far greater detail and technical input.

The table below will tell you which must be completed for your business

Where you process payments Questionnaire  Software scan Approx cost
Website using Google Checkout, NoChex or PayPal without a virtual terminal No No NA
Website using SagePay or WorldPay or similar without the virtual terminal Yes (A) No £100 per year
Website which takes card details itself Yes (D) Website scan £500+ per year
Dialup PDQ terminal in your shop or office, but no internal database of card numbers Yes (B) No £100 per year
Virtual terminal (inc. PayPal or SagePay) in your shop or office, where you type card numbers into a computer connected to the Internet, but no internal database of card numbers Yes (C) Shop/office £500 per year
Internet connected POS (inc IP PDQ) system in your shop or office, but no internal database of card numbers Yes (C) Shop/office scan £500 per year
Any company with a database of card numbers on a computer in their shop or office Yes (D) Shop/office scan £1000+ per year

PCI Myths

 (Source: PCI Security Standards Council – PCI SSC)

Myth: I’m a small merchant who only takes a handful of cards, so I don’t need PCI.
Fact: This is a common misunderstanding with PCI Compliance, that small merchants handling only one or a few credit cards a year are exempt from compliance. If you are a merchant and are set up to take credit/debit cards by any mechanism – then you need to be compliant.

Myth: PCI only applies to e-commerce companies.
Fact: No, PCI applies to every company that stores, processes or transmits cardholder information. In fact anyone who takes card present transactions that involve POS devices are typically more at risk than e-commerce solutions. Quite often these types of transactions involve storage of track data (which is forbidden under PCI). Compromise of this type of data may bring heavy fines and requests for compensation from the banks involved.

Myth: You only have to be PCI compliant with the majority of criteria.
Fact: The pass mark for PCI is 100%, so if you fail even one of the criteria, you are not PCI compliant. The standard is not meant to be something to strive for; it is essentially a floor, a basis for further security measures. Failing to achieve even one of the requirements, is failing to meet a basic standard for handling cardholder information. All companies that routinely handle this type of data should be aiming to exceed the standard. It’s just good business.

Myth: As a merchant, I did not sign anything saying I would be compliant, therefore, I don’t need to be.
The PCI standard forms part of the operating regulations that are the rules under which merchants are allowed to operate merchant accounts. Even if you have been in business for decades, PCI still applies if you store, process or transmit credit cards.

Myth: PCI compliance is an IT project.
Fact: Certain aspects of PCI Compliance will require technical and operational input, but compliance is much more than a ‘project’ with a beginning and an end – it’s an ongoing process of assessment, remediation and reporting. PCI compliance is a business issue that is best addressed by a multi-disciplinary team. 

CloudSpark can help your business become compliant

CloudSpark has assisted many businesses throughout East Anglia become PCI Compliant. From local newsagents with one card terminal, to businesses performing hundreds of PC based transactions per week, we have guided these businesses through the process, completing questionnaires, running network scans and providing advice and consultancy wherever and whenever needed.

If you would like to talk to us about PCI compliance then please call 01603 673160 or email and we will be happy to help. Even if you just want a helping hand to bounce questions off then we are keen to assist local businesses through the process.

CloudSpark fully managed IT Support customers benefit from PCI compliance support included in our service! Click here for more info

By |2018-01-18T14:09:35+00:00April 19th, 2016|Categories: CloudSpark, Security|Tags: , |0 Comments
This website uses cookies and third party services. Ok