By being PCI DSS compliant, you will protect your three most important assets, your brand, your customers and your cash flow. You will benefit by:
- Managing risk around identity theft and credit card fraud
- Boosting customer’s confidence in your security
- Increasing protection of customer’s data
- Avoiding penalties/fines imposed by banks or card companies
- Staying competitive in the marketplace
- Reducing the risk of negative cash flow impacts
These requirements can seem daunting and overly technical at first. IP Solutions provides end to end eCommerce consultancy and security remediation services and we have years of experience in this area so contact us to simplify your PCI DSS journey.
At a minimum, cardholder data includes the full PAN. Cardholder data may also appear in the form of the full PAN plus any of the following:
- Cardholder name
- Expiration date
- Service Code
PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed or transmitted. If a PAN is not stored, processed or transmitted, PCI DSS requirements do not apply. Therefore if your company stores or transfers the PAN (Primary Account Number) which is usually the 16 digit credit card number itself in any way, even if it is only to transmit it directly to a real-time payment gateway, or perhaps restore it in some way, then your business must be PCI DSS compliant certified in its own right.
The applicable PCI DSS criteria is as follows:
Level 1 Visa and MasterCard World Wide transactions totalling 6 million per year, and any merchants who have experienced a data breach.
Level 2 Visa and MasterCard transactions totalling 1 million to 6 million per year.
Level 3 Visa and MasterCard e-commerce transactions totalling 20 to 1 million per year.
Level 4 Visa and MasterCard e-commerce transactions totalling 1 to 20.000 per year.
PCI DSS is an abbreviation for Payment Card Industry Data Security Standard. Organisations processing, storing and/or transmitting credit card details must be PCI-DSS compliant. Compliance is achieved by undertaking two tasks depending on your transaction volumes. These tasks could include an annual on-site audit a quarterly vulnerability scan or a self-assessment questionnaire.
Compliance is mandated by the payment card brands and for most merchants, the deadlines for validating compliance with the PCI DSS have already passed. You should check with your acquirer and/or merchant bank to check if any specific deadlines apply to you, based on merchant transaction volume (level) as determined by the card payment brands.
If your business accepts credit cards, whether over the internet or on paper, then PCI applies to your business. The general rule states that if you process, store or transmit cardholder data then you must adhere to the Payment Card Industry Data Security Standard v2.0 (PCI DSS v2.0) which prohibits maintaining credit card information in multi-tenant environments. The PCI Security Standards Council (PCI SSC) has officially released the PCI DSS v3.0 compliance standards, but much remains to be done before merchants, service providers and the auditors will know how the new mandates will impact the payments industry. Keep checking our website to stay up to date.
Depending on the number of transactions performed annually, Merchants and Service Providers must conduct quarterly vulnerability scans and either fill out a Self-Assessment Questionnaire or have a Qualified Security Assessor (QSA) audit the business entity against the PCI DSS.
As a merchant and the owner of the credit card merchant facility, in most cases yes. Contact your acquiring bank to determine their expectations of your business. If you are not PCI DSS Compliant remember IP Solutions provides a PCI DSS Certified payment processing solution that can be customised to meet your unique business requirements.
Your company must attest that it is complying with the Data Security Standard annually if it handles credit card data electronically. This involves delivering a package of two or three items:
- Self-Assessment Questionnaire
- Regular network or website scanning by an Approved Scanning Vendor (may not be required in some cases) and a Report on Compliance by a Qualified Security Assessor (only needed by the very largest companies)
- Attestation of Compliance
There are 5 versions of the Attestation of Compliance, just as there are 5 versions of the Self-Assessment Questionnaire. If you qualify to use version A of the Questionnaire, use version A of the Attestation, etc.
If you choose not to comply with the PCI DSS then you risk:
- Potentially being fined by your acquiring bank
- Potentially being restricted from accepting credit cards as a payment method
- Greater risk of potential financial loss arising from security incidents
- A system compromise may potentially result in fines and/or restrictions. Whilst data breach reporting is not mandatory at this stage the OIAC does have powers to fine organisations for not adequately safeguarding client’s personal information.
One of the key things is to determine what the devices are going to be used for and whether or not they’ll be used to process transactions or have any payment card data processed through them or stored on them. If so, they will fall into scope for PCI compliance. Even being on the same network as systems that store, process or transmit payment card data will bring these devices into scope. While the PCI guidelines might not have specific requirements yet for every aspect of mobile applications and devices, they are clear around keeping cardholder data protected, wherever it may be.
This is such a new area for many merchants that they aren’t properly addressing security issues or updating their employee guidelines or policies to deal with them adequately. You can’t take it for granted that employees will know what to do in a given situation or think about the ramifications of bringing their own devices into retail or working environments. Make them aware of the need for compliance and why it’s important to customers and to the business.
Tokenization, in its simplest form, is another way of saying ‘data substitution’. It is the act of using a substitute value, or ‘token’, which has no inherent value, in the place of data that does have value. That way, if the system using tokens is compromised, it is the tokens that are taken, not the actual valuable data. Tokenization works by taking the original data value and generating a substitute value, usually with a random number generator. The mapping between the original data and the token is maintained in a secure database. Obviously, with tokenization, it is imperative to protect the database that contains the mappings between the original data and the tokens.
Yes. However, Tokenization has the ability to significantly reduce the scope and ongoing costs of PCI DSS compliance, thereby reducing time and money spent on securing the network environment on a day-to-day basis. However, according to the PCI DSS standard, every merchant must still validate their compliance and maintain compliance.
Managed network security services are third-party service providers, solution providers or value-added resellers that can be hired to outsource tasks or processes related to network security. Outsourced responsibilities often include device management, monitoring and remediation; email security, including anti-spam, anti-malware and IP filtering; network intrusion detection and prevention; asset classification and change management; data leak protection, and the creation of access control policies.
Functions that are performed as part of network management include:
- Controlling, planning, deploying, and monitoring the resources of a network
- Network planning
- Configuration management
- Fault management
- Security management
- Patch management
No, server infrastructure is housed within a number of Tier III standard (or higher) data centres. These data centres offer world-class facilities including temperature and humidity controls, earthquake protection and advanced fire control systems. The facilities are monitored 24 hours a day, 7 days a week, 365 days a year with multiple security layers including guards, CCTV, photo access cards, “man traps” and locked server cabinets. They are serviced by fault-tolerant and redundant power systems encompassing dual council power supplies and Uninterrupted Power Supply (UPS) filters with backup diesel generators.
Please login to the IP Solutions administration portal with your nominated user name and password. If you have forgotten your details you can retrieve your details via the login page forgotten details retrieval facility. (https://www.ippayments.com.au/crm/logon.aspx?x=ipsi)
Alternatively email support at email@example.com
To pay your invoice by credit card click here. Please note a surcharge of 1% applies to credit card payments.
Simply call IP Solutions on 1300 975 630 and have a chat to one of our consultants. We will determine what the next steps for you should be.
PCI DSS has 12 requirements that organisations must meet in order to achieve PCI DSS compliance. The requirements are a set of security controls required to protect credit card data and comply with the Payment Card Industry Data Security Standard.
The 12 requirements are:
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Use and regularly update antivirus software.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security.
Achieving PCI DSS compliance is an important part of trading in the digital economy. Whilst achieving PCI DSS compliance may seem daunting at first, it’s important to ensure that any payments taken via debit or credit cards are secure.
PCI DSS compliance is achieved through an assessment performed by a certified PCI DSS Qualified Security Assessor (QSA). A QSA is an independent security organisation that has been qualified by the PCI Security Standards Council to validate an organisation’s adherence to the PCI DSS requirements.
Are you PCI DSS Compliant? If you answer NO to any of these questions, you may not be compliant.
- Has your hardware and IT systems been audited for credit card numbers in the last 6 months?
- Do you store customer credit card information within your IT system?
- Do your call centre agents hear credit card information from customers or are they hidden from them?
- Do you have controls in place that outline how you collect, process, store and transmit customer credit card information?
When assessing if you are PCI DSS compliant, it is essential to fully understand the purpose and requirements that are defined by the PCI DSS standards. Below is a list of frequently asked questions that clients often ask when they begin the process of becoming PCI DSS compliant.
What is PCI DSS?
PCI DSS stands for Payment Card Industry Data Security Standards. It is a set of standards covering payment system security created and maintained by the Payment Card Industry Standards Council, a worldwide forum founded by American Express, MasterCard, and Visa, Inc. Today, the council includes all five of the major payment brands and other financial industry stakeholders. The PCI DSS standard is enforced by the payment brands themselves to ensure that transactions remain secure for both cardholders and the institutions that process their payments.
What is PCI DSS compliance?
PCI DSS compliance consists of implementing a set of data security measures to ensure that sensitive personal and financial information is not lost or stolen from a business’s payment processing or storage systems. The data covered by PCI DSS includes:
- The cardholder’s name, primary account number, card expiration date, and service code.
- Authentication data for the card such as the data encoded on a magnetic strip, PIN numbers, and other security codes like CVC2 and CVV2 numbers.
If any of this information is processed or stored during or after transactions, then PCI DSS compliance requires a list of safeguards be put into place and maintained by the business.
Why was PCI DSS compliance introduced?
Credit card fraud has been growing over the past two decades and that is predicted to continue. By 2014, credit card fraud had reached $16 billion by 2014, and financial industry estimates expect it to reach $35 billion by 2020. In addition to the immediate financial losses suffered by banks and consumers when a card account is used fraudulently, the release of personal information obtained from credit card data breaches also contributes to identity theft.
The majority of payment card fraud happens because of data breaches at businesses and payment processors. Card account and authentication information that’s stolen during these breaches are used to make unauthorised purchases online, and duplicate payment cards are made and used at bricks-and-mortar stores.
This trend led to the formation of the Payment Card Industry Standards Council, which created the first version of PCI DSS in 2004. The payment card industry enforces its requirements with merchants that do business with their cards by making them liable for fines and other fees when they are found to be out of compliance or suffer data breaches.
Who needs to be PCI DSS compliant?
The data security standards apply to any business that conducts transactions using one of the five major payment card brands or that stores cardholder information. These businesses need to ensure that their data systems comply. If a third party conducts a business’s transactions on its behalf, that business is still responsible for ensuring that the payment processor complies.
What are the benefits of being PCI compliant?
PCI DSS compliance reduces the likelihood that a security breach will impact the customers who do business with a company. This gives the compliant company a couple of benefits.
The financial benefit gain is avoidance of the costs involved with a data breach due to being out of compliance. Fines imposed on merchants who suffer breaches can be as high as $50,000, not to mention the damage to the company brand due to the data breach. The cost of post-breach security investigations, providing credit monitoring services to affected customers, and other legal liabilities can push the cost of a breach much higher.
Beyond the financial benefit, however, is the benefit to a company’s brand and reputation among its customers and peers when it takes measures to secure customer credit card data. Customer trust is difficult to win back after a major data breach.
What are the key requirements for PCI DSS compliance?
The PCI DSS compliance checklist consists of twelve essential requirements:
- Install a correctly configured firewall that protects cardholder information
- Ensure that default passwords and configurations on third-party equipment are changed to secure settings
- Maintain protections for cardholder information that’s stored in a business’s data systems
- Ensure that cardholder information is encrypted when transmitted over public networks
- Maintain anti-malware and virus protection on all the business’s information systems
- Establish and maintain secure data processing and storage systems
- Maintain confidentiality of cardholder information, allowing access only on a “need to know” basis
- Identify all system components and maintain their security
- Secure physical access to the business’s data systems containing cardholder information
- Monitor and log all traffic to and within the business’s network and systems containing cardholder information
- Test security policies and systems on a regular basis
- Create an enterprise-wide information security policy that applies to all employees
This list of requirements becomes the outline of a company’s PCI checklist as they bring their information and payment processing system into compliance.
Are there different levels of PCI DSS compliance?
Yes, there are four merchant levels of PCI compliance. Which of these levels applies to a company is determined by the volume of payment transactions it processes and its data breach history. Levels 2, 3, and 4 are for merchants with transaction volumes up to 6 million annually. All three require a self-assessment questionnaire, a network scan by an Approved Scanning Vendor quarterly, and submission of an Attestation of Compliance Form.
Level 1 merchants have annual transaction volumes over 6 million, have suffered a data breach that resulted in data loss, or has otherwise been identified as a level 1 merchant by the council. In this case, the merchant must also submit a Report on Compliance made by a Qualified Security Assessor (QSA).
How do you know if you are PCI DSS compliant?
PCI compliance can be a complicated process because of the comprehensive nature of its requirements. Compliance can be achieved by instituting a set of high-level goals that guide a company’s security policies. When these measurable goals are met, a QSA can determine if they have achieved PCI DSS compliance.
Here is an example list of goals a company can pursue to achieve full compliance with PCI DSS:
- Create secure information systems and internal networks
- Maintain a program that manages vulnerabilities as they are discovered
- Monitor and test the security of company networks
- Create an information security policy and adhere to it
- Institute access control measures both internally and externally
- Encrypt customer information and restrict access to it
Context-based payment is a new business model designed to remove the physical act of payment from the payment experience.
With context-based payments, the payment occurs in the background. The customer approves the payment but does not need to take out their wallet and hand over cash or a credit card. An excellent example of context-based payments is Uber. The customer doesn’t have to pay the driver; they merely exit the vehicle at the end of the trip.
These type of payments remove friction, making the shopping experience very smooth for customers. When applied to other business categories such as retail we can foresee the significant impact this will have on the customer experience.
A typical implementation within a retail environment would have the customer selecting items to purchase and then walking out without the need to take out a wallet, enter a PIN or inserting a card in Pos terminals.
In this situation, the customer would have an application of their phone which activates when they enter the store based on GPS or other geo-location technology. This application would contain their secured payment information and also record products that have been selected for purchase. These products can be entered by scanning barcodes or through other tracking methods with the payment triggered when the customer exits the store.
Many big platform companies such as Amazon with Amazon Go are already trialling technology and expect this trend expected to be the norm shortly.
Yes, IPSI’s payment gateway is a scheme approved gateway by Visa for PCI DSS services.
Least-cost routing is an initiative that aims to reduce payment costs and promote competition in the Australian debit card market. It allows merchants to choose which network they send debit transactions for processing, allowing them to select the network that costs them the least to accept. For many merchants, this is not an option with debit card transactions (from Chq and Savings accounts via Eftpos) often processed by the more expensive credit card processing network (Visa and Mastercard).
The high adoption of ‘Tap and Go’ technology in Australia has been a key driver of change with these smaller transactions under $100 often processed as credit card transactions at an increased cost to merchants. Least-cost routing aims to allow merchants to choose which processing network is used to process different transactions to reduce costs to merchants.
DTMF stands for Dual-Tone Multi-Frequency, and it is how phone companies know what number is pressed when a customer touches the numbers on the telephone keypad.
When a telephone keypad is used to input payment data such as a credit card, those tones can be intercepted by hackers to collect credit card information, unless DTMF masking is used.
DTMF masking involves intercepting substituting (masking) the unique audible tones with flat tones so that people who hear the DTMF data cannot decipher the numbers. The masking software usually sits between the caller and the call centre (or contact centre) system and converts the DTMF tones to flat tones.
IPSI uses DTMF masking for the AgentSecure® service.
Least-cost routing in regards to payments processing is defined as the ability of merchants to choose which payment network (EFTPOS, Visa or MasterCard) processes debit transactions. Processing debit transactions via the EFTPOS network is less than via the credit card processing network which is why least-cost routing is attractive to merchants.
In Australia, least-cost routing is gaining attention as the Reserve Bank of Australia has mandated that merchants must now have a say on how debit transactions are processed and directed the “Big 4” banks to implement least-cost routing as a priority.
By enabling merchants to choose how debit transactions are processed, costs can be reduced leading to significant savings for merchants who are processing millions of dollars of sales.
This is particularly important to Australian retailers who are facing challenging market conditions and high customer use of tap-and-go technology which is traditionally processing via the credit card network.
IPSI’s contact centre solution, AgentSecure® allows contact centre agents to take payment securely if they are working from home or in the office. Home-based agents do not come into contact with credit card information when using AgentSecure® ensuring PCI DSS compliance is maintained.
No. Special equipment is not required for call centre agents to use AgentSecure at home. All agents require is a softphone to connect with a PBX and access to the internet.