Regulation & Compliance
There are many regulations that retailers must comply with when accepting payments. Using Sellerdeck Payments by Opayo, we either comply on your behalf or enable you to comply by following an easy process and completing a simple form (which has been explained on this page).
The two main regulations to comply with are: PCI DSS and PSD2. Sellerdeck Payments powered by Opayo is PCI DSS and PSD2 compliant, including 3D Secure v2.
To view Sellerdeck Payments powered by Opayo’s PCI DSS certificate click here
Payment Card Industry Data Security Standard (PCI DSS)
This is a joint venture between Visa and Mastercard, supported by all banks, with the aim of reducing fraudulent activity.
Compliance with this standard is compulsory for all merchants who accept payment cards. You must be PCI DSS compliant if you handle, process or store payment card details either on a computer or on paper. Broadly, PCI DSS covers rules about encryption and protection of card data from fraudsters, but it also has rules on the physical security of your buildings.
There are severe penalties if card information is compromised as a result of non-conformance. As part of your agreement with your Merchant Service Provider or Acquirer, you agree to these penalties. If you are discovered to be non-compliant, but have not lost card information, you may be fined or may have your merchant rates increased drastically until you become compliant.
See below for responses to common questions we are asked about PCI DSS:
The responsibility for PCI DSS compliance rests with you, the merchant. Suppliers such as Sellerdeck are not responsible for your compliance.
Use Sellerdeck Payments powered by Opayo or an alternative payment gateway which is PCI DSS Compliant. Ensure you use the payment gateway on your website and for telephone orders using the virtual terminal.
If you only accept payments online using a compliant payment gateway, you are SAQ validation type 1, and need to complete SAQ form A.
If you accept payments online and over the phone using a compliant payment gateway and virtual terminal, You are a SAQ validation type 4, and need to complete SAQ form C. You must get an external scan of your office network (to ensure hackers cannot access your network) and you are required to run a virus checker on every PC.
These are the two options recommended by Sellerdeck because they combine the best security with the least cost and hassle.
If you are in any doubt about which SAQ to complete some banks have arranged Security Metrics or a similar company to take you through a free needs analysis and determine which SAQ form should be completed.
Security Metrics and other providers can provide the external scan for the third case (Type 4 / SAQ C) at a reasonable cost, even if you are connected to the Internet by broadband and don’t have a fixed IP address.
Details of up to date SAQ forms can be found at:
https://www.pcisecuritystandards.org/saq/instructions_dss.shtml#instructions
If you use a compliant payment gateway to capture ALL card data, when completing your SAQ tick “Yes” and simply put the name of the payment gatewat in the “Special” column for the requirements that are fulfilled by the payment gateway (so for Sellerdeck Payments you would put “Via Opayo”, who provide our service, in the “Special” column).
PCI DSS is applicable to any service or provider who handles, processes or stores payment card details. If you use a compliant payment gateway, they will be handling, processing and storing card details and you will only have a token to send instructions. Therefore your software and website does not need to comply with PCI DSS as it is not applicable.
However, you will need a scan on your network if you take telephone orders. This is to ensure you are not being hacked.
Payment Services Directive 2 (PSD2)
What is PSD2?
The Payments Services Directive v2 (PSD2) is a directive that aims to enhance the security of internet payments to reduce fraud.
For ecommerce businesses, the major change in PSD2 is Strong Customer Authentication (SCA), which is a security protocol commonly met by 3D Secure, although other methods are available.
The deadline for SCA is 1st January 2021 for the EU (within EEA) and 14th September 2021 for the UK. However, SCA will be introduced gradually in the UK from 1st June 2021, so you must have a solution in place by 1 June 2021.
What is 3D Secure?
3D Secure is currently the markets preferred method to authorise an online card transaction (digital wallets, such as PayPal and Amazon Pay, have other methods).
You’ve probably seen the password screen asking for the first, forth and tenth character of your password, or a one time use SMS or finger price – we’ll that’s 3D Secure.
The main benefit to you the merchant when using 3D Secure is the liability shift, meaning the card issuer (i.e. Visa, Mastercard) will accept liability for charge backs.
How do I turn 3D Secure on?
To do this, log into your payment gateway portal and enable 3D Secure within the security settings, this is where you can control other security and fraud settings as well. However, you may need to speak with your merchant service provider first to ensure 3D Secure is enabled (most providers have been automatically activating 3D Secure in preparation of SCA).
Exemptions
Certain transactions will be exempt from SCA to minimise friction in the customer payment journey. These are:
Low-value exemption
Card transactions below £35 (€50). However, if the customer initiates more than five consecutive low value payments or if the value of the total payments exceeds €100, SCA will be required.
Recurring payment exemption e.g. subscription (Merchant Initiated Transactions)
Recurring payments of the same value to the same merchant (such as subscriptions and membership fees) are exempt from SCA, after the initial transaction.
Whitelisting (or trusted beneficiary)
Cardholders will have the option to ‘whitelist’ a merchant they trust. They can request to have the trusted merchant be added to their record with the issuers after the first authentication is completed. Subsequent transactions with the whitelisted merchants are likely to be exempt from future authentication. Issuers can still reject this request if the cardholder is thought to be a high fraud risk.
Mail order / telephone order (MOTO) transactions
These are outside the scope of SCA and therefore there is no action.
Disclaimer:
This information has been written by Josh Barling, CEO of Sellerdeck, and is information gathered from multiple resources with the intention of providing practical advice to Sellerdeck customers. Sellerdeck cannot be responsible for the way readers use and apply this information.