PCI DSS Payment Card Industry Data Security Standards - Do I Need

[bignose2]

Hi,

I am sorry as I am sure this will have been covered before but I can't seem to find.

My merchant (Globalpayments) has just sent me a letter saying I need to now be PCI DSS compliant.

99.99% of my business is face to face, direct entry into a there terminal.

Perhaps 5 or 6 times a year I might take a payment over the phone but I could easily stop this (poss use paypal online instead but I could easily do without any form of not present)

In these cases I do not write or store the information anywhere, I just type into there terminal again, with the procedure & security checks, even asks for post code numbers & address numbers so there is no way I have the wrong client or details. Perhaps I should know & records these transactions but do not write the details anywhere are the are so very rare.

Looking at the PCI secuirity Standards .net www I would come under "others" D
the SAQ for this is 49 pages of tick boxes etc & not always very clear or obvious.

I do have clients Names & address etc stored on computer but absolutely no financial details, no DOB or any other personal information.
The invoice amounts are on my database but that is it.
Nothing that could possibly compromise a card payment is stored on computer.

The terminal machine goes straight to the phone line so must be impossible to access any information via a network.

Someone could sit at my computer and would never be able to gets any card details.

I can't see why I need such a complicated form.

I am fairly sure my network is safe anyway, it is wireless but proper high level wifi secuirty, passwords etc. firewalls etc.

I appreciate this is good in that it makes people think and if you are processing & storing details it really important to protect this data.

Do I really need to fill in 200 questions on my network & IT security.

Fine for questions on protecting my terminal & prevent skimming etc.

Surely the following in most cases would do.
Do you store card or other financial information on clients Yes/No
if NO
Do you protect your terminal: supervise, protect access, train staff, cameras etc etc
Yes
OK thats fine.

I can sign up to there recommend Global Fortress from* £3.50 for there shop/service, which is fine if I needed a shop?!?
BUT what I find astonishing is, "the alternative" to use another provider or use the SAQ but this will incur an admin fee that starts* from £3 + Vat per month.
WHAT!!

Whilst only a small amount of money, what admin? why should have to pay not to have a service, especially if I have done a SAQ & I have said I am compliant do they have to analize the form & re-read every month.


I wanted to be a bit more informed before I phone, I suspect they are simply going to say you need compliance & subscribe to our service.


Sorry bit of a rant, the tone of the letter I got was not pleasant, "...non-compliance charge of 15p per transaction & min £50 per month until you are compliant....We are enforcing this on all merchants regardless of how transaction are processed"


I understand they need to make people aware & improve security but somehow I suspect it will always be the big companies that seem to have the security breeches and assume they have huge budgets & IT departments but the smaller companies get alarming letters & spend valuable time trying to work out what to do.

I might change merchant anyway, I know I will prob have to comply also but just don't like the way they go about things.

Any advise

 

[Banksbroo]

Short answer: yes, you will be stuck one way or another with pci-dss charges.

Long answer.
PCI-DSS is a racket invented by the credit card industry to extract further fees from merchants. It is not a law, it is not backed by primary legislation.

If PCI was actually about security, a £50 penalty per month would hardly cover the costs or a real data security breach, yet credit card / merchant services regulary charge companies £50 - month after month - without ever seriously pressing for resolution to a perceived problem (more often than not a trivial mistake when the PCI-DSS form has been filled in incorrectly).

PCI-DSS is a new financial scandal in the making. If / when the scandal breaks, companies levying PCI charges and penalties will be faced with compensation claims similar to the PPI insurance scandal.

Until someone bothers to challenge it all the way through the courts, or a parliamentary inquiry takes a long hard look at how the industry operates; we are stuck with it.

 

[Freshwebservices]

@Banksbroo is right - it's a scam. Several of my clients have been forced into PCI compliance, despite using hosted payment solutions & not storing cc details. The true giveaway is that no one validates the quality of the answers given - its an expensive checkbox exercise in my experience.

 

[Stew specs]

I too have had the global payments letter. Yes I have to comply but I too feel that the level of fee for the benefit I will get is minimal. I have a card terminal rented from global, all we keep are the paper copies which we have to keep. The card terminal is connected to nothing but a phone line. The bloke I spoke to at global fortress just repeated again and again that I would be protected against ALL dats risks. But unless I am mistaken this PCI DSS stuff is only for electronic data. But looking into the fees I pay, which are supposedly "preferential" , I find that they are not, so am actively looking for a new terminal supplier. One recommended by a colleague states on its web site that they are PCI. DSS compliant. Global will be getting their 30 days notice I think...

 

[LMDServicesUK]

Re the earlier posts I understand that some Merchants think this is just another racket, or the next miss selling scandal, it is not.

I will no doubt be seen to be on the side of the "card" industry hear as I resell PaymentSense's services, but I also have an IT background and experience of IT systems, so am very much aware of how difficult some non IT literate Merchants find it to understand why they need to be PCI Compliant.

The whole point of the Payment Card Industry Data Security Standard (PCI DSS ) is to reduce card fraud by ensuring Merchants adhere to a set of standards and Best Practice when handling card holder data, such that the risk of card fraud is minimised and hopefully continues to reduce.and this it is doing worldwide.

The principle behind the scheme is that "card holder data" is treated correctly and securely and the risk of it being abused is made as low as practicably possible. It also sets out the rules for how this information should be handled.

This applies to both the physical and virtual world so even if you just have a dial up terminal, you still need to understand and implement the guidelines within your business as to how such information is managed, just as you have to comply with the current Data protection Legislation for example.

It also applies to businesses who use fully outsourced systems as at some point they may need to process refunds, investigate Charge Backs or sort out a payment query which invariably means handling card holder data through the merchant management systems that the Business has access to, that enable management of these payments.

Just because you use a fully hosted Payment Service (which itself has to be PCI Compliant in its own right) does not exclude you from these guidelines, and anyone who tries to tell you otherwise is providing you very unsafe guidance.

The scheme is driven by the major Card Schemes (Amex, Diners, Visa, MasterCard) and administered by the Merchant Service Providers on their behalf (e.g. Barclaycard, EMS, FDMS, Streamline, GP etc), so if you choose to take card payments YOU have to register and become compliant. If you do not the fines will start at £ 20 PCM and rise to £ 50 PCM until you become compliant.

Furthermore whilst it is a contractual requirement as opposed to a legislative one, PCI Compliance has been recognised by the Information Commissioners Office as something that any Business accepting card payments should instigate and maintain, and if they do not the ICO has said it will impose fines where data breaches result. see www.out-law.com/page-12147.

I do agree however that the way some of the compliance programmes are operated by the Service Providers does leave a lot to be desired in terms of ease of use and levels of on going compliance activity.

However the consequences of not following these guidelines, and then being found to be the cause of a data security breach can be very serious and can in some circumstances lead to a Merchant being black listed from ever being allowed to have a Merchant Services facility again.

The fines are there to enforce compliance only, but for anyone who has ever suffered from card fraud or ID theft, you know how painful it can be.

PCI Compliance is a necessary evil and is working as part of the on going anti fraud activity across the Industry. None of us like it but it is there to ensure we treat our customers card details with respect and manage them accordingly.

Of course if you do not like, or do not accept it, then do not offer to accept payment by cards..

Having said all that if the posters on this thread would like to PM me, I would be most happy to offer you a switching quote for your Merchant Services, as we will not only help you complete your PCI compliance activity, but also cover your first 12 months management fees if you become a PS customer, and also CAP your rates for the duration of your contract (sales pitch over..).

Hope this at least provides some balance to this thread.

Mark

 

[Bazza500]

I have had the letter from Barclaycard basically telling me they would charge me so much per month and that it would start in March. When I phoned them and specifically asked them if my PCI compliance has to be with them they reluctantly said no, it can be with any company as long as I forward the compliance certificate to them. so.... does anyone know who the cheapest company is to become compliant with?

 

[LMDServicesUK]

Hi Bazza500

Whilst Barclays Merchant Services ( the people who provide your Merchant account) are technically correct, you still have to have a Merchant Account for which to apply and register your PCI Compliance against.

So yes if you do not want to use BMS's services you need to ask them which PCI Compliance scheme provider can you register your Barclays Merchant Services Merchant account with ?

Getting your Compliance registered with a third Party is one thing, ensuring that it will be acceptable to your current Merchant account provider is another.

I speak from bitter experience when trying to transfer existing compliance certificates from merchants who have chosen switch to ourselves, it is a very painful process, and quite often we have given up and undertaken a new registration as it was far easier and less painful..

In our case we cover your PCI Compliance fees for the first year, and I would help you complete the activity if you so wished.

Please PM me if this might be of interest to you.

Mark

 

[Bazza500]

This is where I believe the problem with the way this compliance program is being run. Surely it shouldn't matter who you are compliant with, you're either compliant or your not. A company saying you must take out the compliance with a certain company is where this is going to return to bite them.

 

[LMDServicesUK]

Except that the PCI DSS compliance programmes are all administered by the Merchant Service Providers ( for example BMS) MSP's to whom you need to register your compliance for your Merchant account.

Some of the MSP's sub contract elements of the service to third parties to complete on their behalf, and it is usually only the online elements (e.g. vulnerability scanning) that is required, not the completion of the core questionnaire that forms the basis of the majority of the SAQ's for level 4 PCI rated ( the lowest level) Merchants..

It does however need to be streamlined as a process for the end user Merchants, to make the whole process easier to understand and complete.

 

[mhall]

I'm sorry, but you cannot convince me this is NOT just a scam. We only use the machine in the shops, they are not connected to any computer and dials direct into Global who process the payment. There is no chance of anything being transmitted to anyone else unless Global are playing games. We do not sell on line, we do not sell via the phone - EVERYTHING is face to face. Each shop has its own merchant number so we are looking at £50 a month per shop from April unless I what?...........give them £6 a month for absolutely nothing and even if we decide to go elsewhere, they still want to charge us "from £3 a month per merchant" .The whole thing is designed to utterly confuse everyone. While I am not surprised the industry is ripping everyone off I am disgusted. I would drop credit card payments in an instant if we weren't so tied up to them.

 

[kulture]

It is a scam to charge so much. I have been charged £0.00 for one year and expect to be charged the same this year. All I need to do is fill in a form and post it. Thats it.

 

[LMDServicesUK]

mhall

You are still handling card holder data and that means you need to be PCI Compliant.

The Guidelines are there to ensure that you treat such data (whether physically or electronically) with due care and attention as you would wish your own card details to be handled by another merchant..

Is £ 4 - 5 a month such a massive cost to you compared to the £ 50 charge which could be so easily avoided ?

The whole point of PCI DSS is to reduce the risk of fraud being committed against both the card holder and the merchants as well as the processors.

It is a fundamental requirement of operating a merchant account that processes card payments and as over 80 % of the UK adult population now prefer to pay for services and goods by the various payment cards now available, not accepting card payments would seriously hurt any consumer facing business...

If you have never had to process a Refund or fight a Charge Back or Fraud case I can appreciate that you will feel aggrieved, and as far as your choosing to pay the £ 50 a month non compliance fee per merchant account, why not just complete the SAQ and the fines will stop.

If you are that unhappy with GP, I am sure I could provide you a competitive quote to switch and I would be more than happy to help you get your compliance sorted, (and stop the fines), and we would cover your PCI management fees for the first year as well !

Mark

 

[mhall]

As I suspected - £5 for doing nothing - another rip off under the "it's only £5, does it matter" banner. Yes it matters- there is no reason for doing it. The only data we handle is through Globals own machine that they own and charge us a monthly fee for using. This is just nothing short of extortion and dressing it up as "protection for the card user" is just cobblers". And if you honestly think that there will ever be any protection for the merchants then you really are in dreamworld. There never has been, and never will be.

But you are correct to mention protection - It is nothing more than a protection racket

 

[mhall]

It is a scam to charge so much. I have been charged £0.00 for one year and expect to be charged the same this year. All I need to do is fill in a form and post it. Thats it.

But Kulture, I do not consider myself thick but I simply do not understand the form. It's a 50 page document that I get stuck on at Part 2b. I assume I just fill in the Merchant Section, but the PCI web site also says I must fill in the rest (it doesn't say so, but I assume I miss out the issuer bit) Most of the other questions are irrelevant, but there is no option to say so - The shops have no access to the internet - why the hell should I have to pay £5 for that?

 

[ablative]

I have just got this letter and am outraged. Especially as we do all our transactions online and use a reliable 3rd party to process them - we never see a CC number at all!

And yet what annoys me most is that it is impossible to contact the scam merchant Global Payments by email to ask about this. You just have to send them your compliance and hope they don't lose it behind a radiator like HSBC normally do.

 

[LMDServicesUK]

ablative

If you take card payments by any method whatsoever you need to be PCI Compliant, this is a condition of your having a Merchant Account, irrespective of who your provider is.

The requirement is there as even if you do process all your payments via your website, if you ever have to process a refund or investigate a Charge back you will handle card holder data so that is why you must acknowledge and operate your business as per the PCI Compliance guidelines.

I appreciate that you are using a third party to do your processing, but are you also using a hosted payment page as well ? In which case the PCI SAQ should be quite straight forward to complete.

Yu may want to check that you are being asked to complete the correct one, as there are a number of variants depending on how you process card payments.

These links may be of help to you ?

https://www.pcisecuritystandards.org/merchants/ and https://www.pcisecuritystandards.org/smb/

Rgds

Mark

 

[ablative]

It's all hosted by the processor (PayPoint). No sensitive data comes near our website!

Part of the problem is that Global Payment provide no way of contacting them other than through old unreliable post. They don't even put a link to their website on the letter. It reeks of scam and comes across as little more than a cheap money making exercise for them.

 

[japancool]

It's all hosted by the processor (PayPoint). No sensitive data comes near our website!

Part of the problem is that Global Payment provide no way of contacting them other than through old unreliable post. They don't even put a link to their website on the letter. It reeks of scam and comes across as little more than a cheap money making exercise for them.

How about calling the number on their website, 0845 702 3344?

 

[bignose2]

Hi,

I was the one that actually started the thread & was pretty annoyed & confused by it all.

Still frustrated that is costs us time & effort & all very OTT for simple non ecommerce merchants but before you go spending hours reading the SAQ's I have to say just go straight to Global Fortress/SecurityMetrics (Global payments QSA), I guess/hope the other merchants providers have similar QSA's. I spend some hours reading & filling in the simpler ?!?! SAQ B form. I could have just ticked Yes to all without reading or considering but felt not right.

In the end phoned Global Fortress (you can just sign up online) and registered with them.

It was £3.50pm (I was a bit worried about the "from" but this is for basic merchant)

Benefit.
Online form, does not have to be posted
Simplified form although does not seem a lot different I was more comfortable with it.
Can be compliant in minutes & Is automatically registered.
Download their "Information Security Policy" - what a lot of waffle that is & guess you could find one online somewhere. I wonder if every person you ever see operating a terminal should have read/understood & signed one of these..
I understand you can just check & tick each year/ don't have to fill whole thing in again.
Support, I did not use it but felt the lady I spoke to begin with was knowledgeable and slick (some sales patter. i.e. don't SAQ but it all made sense)

Seeing as you would be charged £3.00 to SAQ yourself has to be the best way.


I guess it won't be long before it gets even more stingent, probabaly getting everyone to do these vunerability scans even if you don't store data as they seem a great source of revenue for someone.

 

[LMDServicesUK]

Good to see that you have got yourself sorted then, hopefully other Members can now use your experience, however this will probably only apply to Merchants who are using GP as their Merchant Services provider. As your PCI Compliance is managed through your Merchant Provider, it is not independent of them..

Tx for a good post though.

Mark

 

[japancool]

So in the end, it was more or less as simple as calling them and speaking to them. Good to hear.

 

[entrepreneur84]

I requested a call back from Global Fortress, I'm too busy to be looking around for compliance!

They called me back (lovely American lady) she sent me log in for the website and I'm presented with a questionnaire.

I'm hoping it's not as complicated as the one i downloaded! before

 

[japancool]

I requested a call back from Global Fortress, I'm too busy to be looking around for compliance!

You've probably spent more money in terms of your time posting about it on this forum than it's going to cost you for compliance over the whole year.

 

[entrepreneur84]

Well I'm going to try and get global payments to get my rates down now as i have other quotes.

To honest all the reviews iv'e read on the internet about merchant is scary! long contracts and the messing up of account and the huge fee's. I would rather just see if i could get GP to drop there rates a little.

 

[Karimbo]

PCI DSS is an absolute scam to extort more money from businesses.

I am with cardsave and they were charging me £10 a month for non compliance.

Tell me this, if PCI DSS was so crucial why didn't they just shut me down and stop taking payments? Why did they let me trade for 3 months until I came forward and became PCI DSS compliant?

Secondly you fill out a questionnaire and just answer a bunch of questions - nobody seems to check the data you submitted. You just get the thumbs up and the green light to go ahead.

It was free for the first year, but they will charge something in the region of £10 a month next year. You have to subscribe with an annual contract I beleive. To cancel you have to give them 2 months notice. So I need to contact them after 10 months of joining to cancel the PCI DSS service and then find someone else more competitive.

All this is just BS.

 

[Ecommerce Web Design]

PCI DSS is driven by the insurance underwriters of the merchant credit card accounts. The full compliance would put 95% ( yes made up on the spur of the moment ) of ecommerce stores offline. Its pretty rediculous, we have seen pure brochure ware sites being told by their PI insurers to be PCI compliant for data protection coverage ! So once they are done with ecommerce the gun will be pointed at all sites with a form.

 

[Karimbo]

Is there any hope for a sensible company to come forward and just charge a reasonable £20 per annum fee for the pci dss compliance?

I was looking for one but could not seem to find any companies offering reasonably charged pci dss. In the end I just went with the one year free trial from the company that was recommended by my payment processor. But they will charge £10 per month after the free trial. I am not willing to fork out £120+VAT per year for this bogus company.

 

[Karimbo]

http://forums.moneysavingexpert.com/showthread.php?t=1415097&page=2

interesting reading. I think I will take a pop at filling the form myself next year,

 

[LMDServicesUK]

Yet again I think you are all missing the point here.. PCI DSS Compliance is a MANDATORY requirement on ANY Business that wants to accept payment by Credit or Debit card and the scheme is owned and mandated by the Card Schemes (e.g. Master Card, Visa, Amex JCB etc).

It is then administered by the Payment Service Processors e.g. GP, FDMS, Elavon, WorldPay etc on behalf of the Card Schemes which is why the costs / methods vary between providers. Therefore it is your Merchant Service Provider that manages the scheme, so if you do not like the way they operate change your Processor !

The whole point of this programme is to ensure that as a Merchant you treat your customers card data with respect and securely, thus helping to reduce the level of card fraud. Also I know many members have commented they never touch the card data as everything is outsourced, but sooner or later if you have to process a Refund or manage a Charge Back claim you will need to access the card holders data directly, which is why these requirements are in place..

As I have said on this forum before I agree the way the schemes are implemented leave a lot to be desired, but they are reducing card fraud and I personally am happier knowing any merchant I give my card details to is treating them in a secure manner, remember the "take your card away and skim it " scam..

Like Public Liability insurance, Bank Charges and Business Rates, (for example) this is a cost of doing Business (if you choose to accept card payments), and if you are so incensed by it, stop accepting card payments.

In the majority of cases for small traders, once you are compliant unless you fundamentally change the way your Business operates, the renewal process is very simple and not difficult.

If you want assistance with any PCI issues, I am always happy to help if I can. Just PM me.

Mark

 

[wayzgoose]

Why do neither Paypal nor Nochex require the compliancy?

 

[LMDServicesUK]

Hi Wayzgoose

They are not members of (or recognised by) the Card Schemes, which is why they charge (usually) higher fees, and have longer settlement times as they do not have to conform to the rules of the Card Schemes or meet their specific operational requirements. They are in effect Merchants in their own right and they then offer payment services onto their customers.

Hope this helps..

Mark

 

[wayzgoose]

Interesting! If they are not members of, or recognised by the card schemes, how is it they are allowed to trade if they are not meeting safety requirements. Their settlement times are actually very good - Paypal instant and Nochex 4 days.

 

[LMDServicesUK]

Hi Wayzgoose

They are not registered with the card schemes as providers of Merchant account services, in their own right, rather they are merchants who offer payment services to end customers.

PayPal is not instant insofar as it is paid to a holding account that you then draw down to your own account..

Re NoChex they are quite good at 4 days, but as I explained they are operating a Merchants as well but the service they provide is payment services..

Both organisations however have to be PCI Compliant themselves to level 1, (Highest level) and once you want to utilise a conventional Merchant account facility with PayPal, you are then required to become PCI Compliant in your own right.

Mark

 

[wayzgoose]

Thanks for the info, Mark.

 

[Karimbo]

I guess that is the case because the retailer never sees the card details of the customer with paypal and nochex. Not even for refunds.

Customers do the craziest stuff, we're b2b, we once had a secretary email us the card number, expiry date and the 3 digit security code of her bosses business card for us to process.

I had to immediately delete the email and delete it from the deleted box and tell her why she shouldn't do that.

We process all transactions via 3rd part processor. Technically we need to be PCI dss compliant because the merchant throws in a virtual terminal in with the package - we hate that feature as it opens up security requirements for that - customer also pretty much tells us all the details over the phone that he/she would have entered onto the checkout page themselves. So it defeats the purpose.