How does a small business become PCI DSS compliant?

[MrDizzy]

I noticed today that I'm being charged £22 a month as a PCI DSS non compliance fee. So, I logged on to the Worldpay safe payment website to work through the self certification questionnaire. It was like hitting a brick wall. I literally have no idea what all the computer jargon means.

I run a restaurant and all of our card payments are done face to face. The fine bothers me but it's important that our guests can trust that we treat their card details with privacy and as such what can a small business do to become compliant with the PCI DSS regulations? Is there a service that can help with this? Anyone completed the questionnaire successfully?

I thought that the service provider would have the actual card processing security covered as it goes through their terminal but obviously I'm wrong!

Any help appreciated

James

 

[RakeMark]

If all of your transactions are carried out face to face with a chip and pin machine then you're not storing any card details and the questionnaire should pretty simple. If you take payments over the phone then its a little bit trickier. If you write down any card details then it's harder still (just don't write them down and instruct staff not to either). I had a couple of clients go through this with SagePay a while ago. SagePay used a preferred supplier (I'm annoyed I can't remember who), you paid a fee to them (it wasn't huge) and they took you through an easier questionnaire that then filled in your PCI DSS questionnaire. They also had training materials for staff, template security policies and that kind of stuff.

In the end, when you add up your time and frustration, its cheaper to just swallow hard and pay the one off (and then probably small annual) fee to the compliance company.

 

[The Byre]

https://www.pcicomplianceguide.org/pci-faqs-2/#10

 

[zimone]

This is a new subject for me but I have managed to dig out the following link[ PM me for the link as I don't have 30 posts on the forum yet], it may be helpful. Just out of curiosity who is your payment processor? I may be able to dig for more information once I know that for you.

Certainly paying out the £22 charge is just going to add up if you are not compliant and its great that your are taking the necessary steps to achieve compliance, not only for your business but for the security of your customers too

 

[fairdealworld]

It sounds as if you are with WorldPay like me? The questionnaire is a bit of a nightmare if you are a normal person! But somewhere on that questionnaire there is a helpline number. Just call them. Probably you like me avoid Call Centres like the plague but I've found the WorldPay helpline genuinely helpful. When I did my compliance in January I got stuck on some of the questions but the person I spoke to asked a few questions about my set up and then told me which boxes to tick. Problem solved.

 

[LMDServicesUK]

Chaps

Your PCI compliance requirement is based on how you process card payments, e.g via PSTN line, IP connection or via a web portal or website.. It has nothing to do with whether it is F2F or over the phone.

Sad fact is that if you have a card terminal that is connected to the Internet you get the longest questionnaire, if however you operate a website or MOTO facility you get the shortest.. Crazy or what !

PCI is there to protect both the Card holder and the Merchant and it has massively reduced fraud on both sides, and gives customers more confidence to use cards...

And yes it is very painful to complete, but there is assistance out there therefore if you are non compliant and need some help, I would be happy to talk to you,, Pls PM me to see if we can help at all ?


Like I said earlier I sped a lot of my time helping Merchants re these issues so again, need an assist pls PM me..

 

[Laurentb]

You need to be PCI DSS compliant in any case, but most of the technical jargon will not apply to you if you are using Worldpay as the Payment Service Provider. It should only be around 5 or 6 questions to answer altogether.

 

[LMDServicesUK]

This is not correct..

The type of SAQ for PCI that you have to answer is totally dependent HOW you take card payments, e.g. if you use a dial up physical terminal it is the shortest, if however you have an IP physical terminal it is the longest.. MOTO and Ecomm fall in between. Your choice of MSP (in this case WP) makes absolutely no difference to the length of the SAQ you have to complete.

 

[azad_ALI]

I'm struggling with one of the questions where they(I'm with worldpay) ask me if my router has split networks, one for the wifi and another where all the card transactions take place. I didn't know the answer so I called BT who provide the broadband and they weren't much help either and said they can't split the networks and I have to get my own router which can do that.(I've got a quote for £1400 for a router like that!!)
I'm really having problem sorting this out, can anyone guide me in the right direction please.