PCI DSS Compliance

Sam Boogie · May 9, 2010

Can anyone confirm this for me...

If I use a PCI DSS compliant payment processor such as Protx for processing ALL card transactions on my site and have the payment pages hosted by them then I dont need to perform any sort of PCI DSS compliance.

Have i got that right or is it yet another thing to add to the to-do list?!

Sam : )

DuaneJackson · May 9, 2010

Nope, that's right afaik

Sam Boogie · May 9, 2010

Wow, fastest replyer in the west! Thanks : )

Sam Boogie · May 9, 2010

Ive carried on looking on the net and I'm still confused!

Unfortunately it looks like its not that simple after all. From what I can tell from the SagePay site (http://www.sagepay.com/products_services/bolt_ons/pci_dss/outsourced_solution) having them handle ALL steps of the card processing will simply mean I wont have to spend anything meeting the requirements myself. However, I would still need to carry out the annual self-assessment at a cost of £72. It all seems like a bit of a rip-off but of thats what I need to do to be able to accept visa and mastercard, so be it!

kulture · May 9, 2010

You have got it right. To be PCI compliant you need to correctly fill in the correct self assesment questionaire and adhere to the procedures and practices that you say you are in filling in the form.

Using sagepay, and letting them host the form etc means you get to fill in the simplest questionaire.

Sam Boogie · May 9, 2010

kulture said:
Using sagepay, and letting them host the form etc means you get to fill in the simplest questionaire.

Yep, and I think it should also mean that I wont have to actually DO anything at my end. If i was doing it myself and was in some way non-compliant it might be quite costly to try and address that.

Still though, £72!!!!

kulture · May 10, 2010

kulture said:
and adhere to the procedures and practices that you say you are in filling in the form.

There is more to PCI compliance than just filling in a form, or your site passing a scan.

For example, you have to have a security policy, and update it annualy. If you ever take card details down over the phone and write them down you need a policy to securely hold such data whilst you need it, and a secure physical location, and actually shred when you no longer need it. If you have a point of sale machine and you keep the merchant copy of the transaction (which you have to) then this MUST be kept in a secure location. If you have an accountant or auditor, and they ask to see such receipts (or a sample of them) then you have to track any delivery and have a written agreement with them that they will keep them secure.....

Just filling in a check box on a questionaire is not enough. You are meant to actually DO IT.

MartCactus · May 10, 2010

Sam Boogie said:
Can anyone confirm this for me...

If I use a PCI DSS compliant payment processor such as Protx for processing ALL card transactions on my site and have the payment pages hosted by them then I dont need to perform any sort of PCI DSS compliance.

Have i got that right or is it yet another thing to add to the to-do list?!

Sam : )

Further to the other answers, it will depend on how many transactions you process. If less than 20,000 per year (which probably covers most merchants) then the self-assessment route is valid, if you're doing more than that you may require a more details audit.

JohnDet · May 10, 2010

Sam Boogie,

What SagePay method are you using to process your payments ?

Direct or Form

If Form, then you escape from the requirement to have your servers scanned periodically

Sam Boogie · May 10, 2010

Matt - I imagine I'll be below 20,000 transaction for quite some time - I would be a definite level 4 merchant!

Kulture - I plan to never take card details over the phone nor have a POS machine. That should really mean that my payment processor is responsible for almost everything. From the sounds of it though, I will still have to put together this security policy explaining how I'm protecting the cardholder data that I never see, let alone store!

Thanks for your help guys, its all a bit murky out there!

ItsJustMe · May 10, 2010

Have just been through this process so I feel your pain! Which bank is your merchant account with? If you're with Streamline/RBS you should have had some info through from them - they've teamed up with another company (Arsenal Security, I think) whereby you can submit the self-assessment form free of charge. Secondly, if you're having 'fun' completing the form HackerGuardian have a free questionnaire wizard. You still have to do the security policy stuff though.

Hope this helps!

Sam Boogie · May 10, 2010

JohnDet - This is all just planning right now...
From the sounds of it my best SagePay option would be "Sage Pay Go with Server & inFrame integration"

I can retain a certain amount of design control but have the safety of the elements doing the data collection being handled by them.

ItsJustMe - I'll be avoiding RBS like the plague having heard a lot of negative stuff about them and also having some personal banking issues with them in the past! Im planning to go with SagePay as I've heard good stuff about them.

Sam : )

PayVector · May 10, 2010

We have not had a PCI misconceptions thread in a while

then I dont need to perform any sort of PCI DSS compliance.

Although you do not have to actually do anything you still need to be operating compliant. For example say you have a couple of people all logging into your PSP back end using the same account then you are not operating compliant and if there is a compromise you insta get promoted to a level 1 merchant and get the pleasure of a full audit.

Our recomendation is every should be doing the SAQ at a minimum.

A couple blogs on the issue :

http://internetpaymentgateway.blogspot.com/

http://internetpaymentgateway.co.uk/the-cost-of-a-card-data-compromise-to-your-company

The Movie Booth · May 10, 2010

We had the same issue - some of the forms they ask you to fill out can be quite intimidating. I simply called our merchant bank, explained how we used their service and they talked me through the form I needed to complete and how I could ensure the responses I provided were correct. It ended up taking ten minutes (like you we use a third party payment processor).

The cost of this compliance is determined by the bank you use unfortunately.

Sam Boogie · May 10, 2010

The Movie Booth said:
The cost of this compliance is determined by the bank you use unfortunately.

Oooh, thats useful to know. Thanks : )

PayVector · May 10, 2010

The Movie Booth said:
W
The cost of this compliance is determined by the bank you use unfortunately.

This statement is incorrect. Your duty is the card schemes for compliance and you can complete it through any Qualified Security Assor that you chose.

The statement that is correct is that many of the UK banks are trying to force their merchant base into using the QSA nominated by them.

I believe currently there are a tonne of upset HBOS merchants over this issue.

Sam Boogie · May 10, 2010

This is great guys, we seem to be zeroing in on the facts! As well as using this myself I'm planning to document this information on my blog as im hoping to provide a blueprint for opening a small e-commerce store. If people find they have a lot similar requirements to myself then they will be able to follow the decisions I made and this will hopefully mean it doesnt take them so long!

Sam : )

logicsupport · May 10, 2010

Taken from PCI Security Standard Council's website :-

How do I determine whether my business would be required to do a full independent assessment or a self assessment?

Merchants that store payment account data should contact the acquiring financial institutions with whom they have merchant agreements to determine whether they must validate compliance and the specific requirements for compliance validation. Service providers should contact the individual payment brands for further information.

I think you will come under the category of 'Service Providers' and just needs to ensure your payment processor has acquired compliance, from the statement above.

Another question :

Does PCI DSS apply to merchants who use payment gateways to process transactions on their behalf, and thus never store, process or transmit cardholder data?

PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply. However, under PCI DSS requirement 12.8, if the merchant shares cardholder data with a third party processor or service provider, the merchant must ensure that there is an agreement with that third party processor/service provider that includes their acknowledgement that the third party processor/service provider is responsible for the security of the cardholder data it possesses. In lieu of a direct agreement, the merchant must obtain evidence of the third-party processor/service provider's compliance with PCI DSS via other means, such as via a letter of attestation.

I hope that answers your question.

cheers

Sam Boogie · May 11, 2010

logicsupport said:
if the merchant shares cardholder data with a third party processor or service provider, the merchant must ensure that there is an agreement with that third party processor/service provider that includes their acknowledgement that the third party processor/service provider is responsible for the security of the cardholder data it possesses. In lieu of a direct agreement, the merchant must obtain evidence of the third-party processor/service provider's compliance with PCI DSS via other means, such as via a letter of attestation.

So what do you guys think this means? From what I can tell thats saying if I can confirm my processors compliance (with some sort of letter from them) then I've done enough and dont need to do anything else...

I think I might tap up the Sage Pay support team and see what they say!

alanc · May 11, 2010

Sam Boogie said:
So what do you guys think this means?

It means: if you are capturing the card data and handing it over to someone else to authenticate, you have to make sure they understand they are responsible for the security of that data.

However, if you're using a third party payment processor, they alone are responsible for the card data and you shouldn't see it at all - so no sharing is involved.

logicsupport · May 11, 2010

Sam Boogie said:
So what do you guys think this means? From what I can tell thats saying if I can confirm my processors compliance (with some sort of letter from them) then I've done enough and dont need to do anything else...

I think I might tap up the Sage Pay support team and see what they say!

Yes Sam, I think you just need to get it signed by way of attestation from your merchant account which shows that they are PCI compliant.

The Movie Booth · May 11, 2010

We had the same thing exactly, we provided certification of our processer but still had to complete a bsic questionnaire.

I'd give Sagepay a call if I were you.

kulture · May 12, 2010

Certainly call sage pay if you want, but to use Sagepay you need a merchant account. Once you have that merchant account then you can either choose an accredited PCI compliance assessor, or select the one your chosen merchant account provider recommends. Then call them and ask their advice and follow it. After all, they are the ones who will say if you are PCI compliant and tell your provider you are compliant, and not well intentioned people on this forum.

The Movie Booth · May 12, 2010

Apologies, I actually meant to say call your merchant account provider - they would normally have a PCI DSS compliance unit who can talk you through the application you need to complete. You should call Sagepay as well to verify their PCI status as your merchant bank will want probably want to know this.

kulture · May 12, 2010

Its a fair bet that sagepay will have a PCI compliance certificate, and that your provider will already have a copy of it. But as always check with your provider to ensure that they are happy.

LHM · Jun 3, 2010

Sam Boogie said:
This is great guys, we seem to be zeroing in on the facts! As well as using this myself I'm planning to document this information on my blog as im hoping to provide a blueprint for opening a small e-commerce store. If people find they have a lot similar requirements to myself then they will be able to follow the decisions I made and this will hopefully mean it doesnt take them so long!

Sam : )

Hi Sam

This would be extremely useful! I am in process of setting up an e-commerce business and like you I am baffled by PCI DSS. It is four months since I decided I was going in to business and I only found out about PCI DSS in the last week. It has made me wonder what other essential things I am still unaware of at this point! Please let us know when you get your blog going!

Many thanks

Lianne

alanc · Jun 3, 2010

LHM said:
It has made me wonder what other essential things I am still unaware of at this point!

Many start-ups are unaware of the Distance Selling Regulations
http://www.oft.gov.uk/about-the-oft/legal-powers/legal/distance-selling-regulations/

And the requirement to show a geographical address on their website.

Cookie Consent

Essential

Analytics

Marketing

PCI DSS Compliance

Sam Boogie

Sam Boogie

Sam Boogie

Sam Boogie

Sam Boogie

Sam Boogie

PayVector

The Movie Booth

Sam Boogie

PayVector

Sam Boogie

Sam Boogie

alanc

The Movie Booth

The Movie Booth

alanc