Free TrialRequest a Call Back

0845 129 4888*
or +44 1932 358350 from abroad

ECOMMERCE SERVICES

PCI DSS Compliance

Bank-approved security that protects your business

Security of payment card data is crucial in the online world. The standard to protect card data is the Payment Card Industry Data Security Standard (PCI DSS). This is a joint venture between Visa and Mastercard, supported by all banks.

Compliance with this standard is compulsory for all merchants who accept payment cards. You must be PCI DSS compliant if you handle, process or store payment card details either on computer or on paper. Broadly, PCI DSS covers rules about encryption and protection of card data from hackers, but it also has rules on physical security of your buildings.

There are severe penalties if card information is compromised as a result of non-conformance with PCI DSS. As part of your agreement with your acquirer, you agree to these penalties. If you are discovered to be non-compliant, but have not lost card information, you may be fined or may have your percentage charge increased drastically until you become compliant.

See below for responses to common questions we are asked about PCI DSS:

Who is responsible for complying with PCI DSS?

The responsibility for PCI DSS compliance rests with you, the merchant and your card acquirer. If they have not already done so your card acquirer will be taking steps to ensure your compliance. Suppliers such as SellerDeck or SagePay are not responsible for your compliance.

How do I become PCI DSS compliant?

You can become PCI DSS compliant in one of two ways:

  • Use SellerDeck Payments or an alternative payment service provider (PSP). Your customers and employees only ever enter card details into the site of the PSP. That way, the PSP does most of the worrying about compliance and you are left with some straight-forward actions. SellerDeck strongly recommends this route. SellerDeck Payments has been PCI DSS Level 1 certified for more than three years.
  • You can try to make your infrastructure compliant yourself. This is complicated, difficult and expensive. For the majority of small businesses, achieving proper compliance will probably not be practical or cost-effective. SellerDeck is unable to help merchants achieve compliance through this route due to the inherent risks and costs involved.
  • If you only take card payments for ecommerce orders using the web page of a compliant PSP, your website does not need a security scan, although it is still good practice to do one. You are SAQ validation type 1, and need to complete SAQ form A.
  • If you take card payments for ecommerce orders using the web page of a compliant PSP, and take mail order related payments or card present payments using a card terminal (PDQ) you are SAQ validation type 3, and will need to complete SAQ form B.
  • If you take card payments for ecommerce orders using the web page of a compliant PSP, and also use the compliant PSP's web form for taking mail order related payments, you must get an external scan of your office network (to make sure hackers can’t get in from outside) and you are required to run a virus checker on every PC. You are a SAQ validation type 4, and need to complete SAQ form C.

These are the three options recommended by SellerDeck because they combine the best security with the least cost and hassle.

If you are in any doubt about which SAQ to complete some banks have arranged Security Metrics or a similar company to take you through a free needs analysis and determine which SAQ form should be completed.

Security Metrics and other providers can provide the external scan for the third case (Type 4 / SAQ C) at a reasonable cost, even if you are connected to the Internet by broadband and don’t have a fixed IP address.

Details of up to date SAQ forms can be found at:

https://www.pcisecuritystandards.org/saq/instructions_dss.shtml#instructions

If you use a compliant PSP to capture ALL card data, when completing your SAQ tick "Yes" and simply put the name of the PSP in the "Special" column for the requirements that are fulfilled by the PSP (so for SellerDeck Payments you would put "Via Creditcall", who provide our service, in the "Special" column).

If you do not use a PSP to capture card data, a lot more compliance activities are required.

Are SellerDeck software products PCI DSS compliant?

All SellerDeck software products when used with a PCI DSS compliant payment service provider (PSP) such as SellerDeck Payments are either immediately PCI DSS compliant or can easily be made so.

If card details are captured at the merchant’s site then you are not PCI-DSS compliant.

Am I truly PCI DSS compliant?

The confusing thing about PCI DSS compliance is that it is possible for the bank (or the bank's recommended security company) to imply that you are compliant when you are not. If you look at the small print you will find that it's you that is stating you are compliant, not any third party service.

True compliance i.e. where you would pass a proper audit of the standard, is almost impossible for a small company to achieve unless a compliant Payment Service Provider (PSP) is used. To illustrate this, SellerDeck know of two companies that undertook full compliance themselves and the cost was c£45k and c£85k respectively. One example of the associated issues is that you can't have cleaners in for the evening because that breaks compliance by having unsupervised people in the building. Although you may pass a security scan, if your security is compromised the banks will check everything, and anyone who stores card data, whether using SellerDeck or another system, and who hasn't spent the sort of money above, will end up by being declared non-compliant and will then be fined and forced to follow the most stringent rules. This would put most small companies out of business.

It is also important to consider that the activities of hackers have gone up a notch in the last few years. They are now organised gangs of criminals, and they can and will target companies who store card data. As the big guys get more on top of things, their attention is moving down the market. At SellerDeck we have already seen highly organised hacking attempts on our servers.

SellerDeck has always had a major focus on security - we used asymmetric encryption of card data back in 1997 when nobody was much concerned about any of this. However, because of the threat from hackers and the impossibility of properly securing servers without spending huge amounts of time and money, our position is that no small business should capture card data on their site and they definitely shouldn't store any card data. Instead they should use a PSP for both web and MOTO (phone) orders so their servers never see the card details. It's the quickest, safest and cheapest way of becoming compliant.

Do I need a website security scan if I use a PSP?

If you use a payment service provider (PSP), and all payment card details are captured at the PSP’s website, a security scan at your own website is not required for PCI DSS compliance. However, a scan of your site can provide some additional security. Such a scan helps to secure your website against the threat of a hacker redirecting shoppers from your site in order to capture their payment card details at a rogue site.

A merchant who uses a PSP and suffers such an attack will quickly realise there is a problem as their payments will stop coming through. It means that the merchant will quickly take action to correct the hack. This in turn means that hackers will get relatively few payment card details. Therefore, in practice, this type of attack is less attractive and therefore less likely to occur, which is why a security scan at your website is not compulsory in this scenario.

If you do have a scan of your website, it is important not to feel that all risk is eradicated or that you are truly PCI DSS compliant, there is much more to PCI DSS than just a scan, and a scan will not eradicate all risks.

Can I capture card details and re-key them into my PDQ machine?

It should be noted that card scheme rules state that each of CP (card holder present), CNP (card holder not present) and ecommerce payments are required to be flagged separately. If you take card details online through a PCI DSS compliant system, but then manually re-key them into a CNP PDQ machine, you will not be compliant with card scheme rules and 3D Secure cannot be supported. This is why SellerDeck does not supporting such configurations.

If you wish to pursue this route, follow the standards at www.pcisecuritystandards.org

Note that even if your buyer enters their payment details into a page on your website and then passes them to a PCI DSS compliant PSP, your website must still be fully PCI DSS compliant, as you are collecting the card details and passing them on. This is because any compromise of your website could lead to a rogue third party being able to acquire the card details.

What paperwork do I need to complete to become compliant using a PSP?

Following discussions with the PCI DSS teams at major banks, these are SellerDeck's recommended options:

  • If you only take card payments for ecommerce orders using the web page of a compliant PSP, your web site does not need a security scan, although it is still good practice to do one. You are SAQ validation type 1, and need to complete SAQ form A.
  • If you take card payments for ecommerce orders using the web page of a compliant PSP, and take mail order related payments or card present payments using a card terminal (PDQ) you are SAQ validation type 3, and will need to complete SAQ form B.
  • If you take card payments for ecommerce orders using the web page of a compliant PSP, and also use the compliant PSP’s web form for taking mail order related payments, you must get an external scan of your office network (to make sure hackers can’t get in from outside) and you are required to run a virus checker on every PC. You are a SAQ validation type 4, and need to complete SAQ form C.

These are the three options recommended by SellerDeck because they combine the best security with the least cost and hassle.

If you are in any doubt about which SAQ to complete some banks have arranged Security Metrics or a similar company to take you through a free needs analysis and determine which SAQ form should be completed.

Security Metrics and other providers can provide the external scan for the third case (Type 4 / SAQ C) at a reasonable cost, even if you are connected to the Internet by broadband and don’t have a fixed IP address.

Details of up to date SAQ forms can be found at:
https://www.pcisecuritystandards.org/saq/instructions_dss.shtml#instructions

If you use a compliant PSP to capture ALL card data, when completing your SAQ tick “Yes” and simply put the name of the PSP in the “Special” column for the requirements that are fulfilled by the PSP (so for SellerDeck Payments you would put “Via Creditcall”, who provide our service, in the “Special” column).

If you do not use a PSP to capture card data, a lot more compliance activities are required.

SellerDeck Payments continues to offer the highest level of functionality of any online payments system compatible with SellerDeck products. Unique benefits for SellerDeck users include:

  • Sophisticated fraud screening service provided by Datacash Fraud Protection Services, supported by SellerDeck.
  • Process debit and credit card transactions, directly from the SellerDeck interface for both online orders and mail order / telephone orders (MOTO)
  • Ability to refund, void, commit pre-authorised payments and take additional payments if orders change direct from the SellerDeck order processing interface.
  • 100% PCI DSS compliant to provide the highest level of security for processing transactions.
  • View formal information on PCI-DSS
  • To see the compliance documentation for CreditCall which powers SellerDeck Payments, please contact SellerDeck support who will be able to provide this.