PCI Compliance
Maintain your business with PCI compliance
As cases of consumer fraud, identify theft and security breaches continue to make the news, adherence to the Payment Card Industry’s Data Security Standards (PCI DSS) are progressing toward ensuring security for cardholder data. And, while many merchants work to meet mandated certification and validation of their systems, the technological and financial risks of non-compliance continue to burden businesses of all sizes.
The fallout of non-compliance has a domino effect on your business, as the financial implications of a breach can destroy merchants of any size. You can mitigate risk by maintaining compliance and providing verification and certification as required by the industry. By following the standardised PCI DSS procedures, you can:
- Protect your customers’ personal data
- Boost customer confidence through a higher level of data security
- Insulate your organisation from financial losses and remediation costs
- Maintain customer trust, and safeguard the reputation of your brand
Take stock
A framework for safeguarding sensitive data for all credit card brands, PCI applies to all acceptance environments, including retail (face-to-face), mail- or telephone-order, and e-commerce. Business of all types and sizes are impacted, so now is the time to understand what you can do to obtain PCI compliance.
The questions below can help you analyse your compliance needs. The first three questions are essential components in a PCI compliant environment and, when not up-to-date, account for the greatest opportunity for compromise.
- Is virus protection up-to-date and provided by a reputable company?
- Are the latest software revisions, such as security patches, in place for the operating system?
- Is adequate firewall protection installed and up-to-date?
- What vendor provides your point-of-sale payment software? Has software been created internally? Does the payment application store card numbers, track data, or PIN data?
- How many people in your organisation have access to cardholder data?
- Are passwords changed frequently, and do they differ from default passwords?
- Are back office procedures compliant? These include procedures such as storing paper reports under lock and key and limiting personnel access?
- Where is sensitive data stored? How many people can access it?
- Are mobile computing devices, such as laptops, PDA’s, and those with wireless access also PCI compliant?
As of 1 October 2009, all e-merchants are required to comply with PCI DSS and all payment applications must be certified and validated annually.
There are two different e-merchant solutions that require validation:
- Hosted-Solution:
- All cardholder information is saved, treated and transmitted only with a PSP that is PCI DSS certified.
- The merchant does not handle cardholder information.
- Non-Hosted solution (API solution):
- Cardholder information is saved, treated and transmitted at the merchant or other party.
- Every solution is unique.
One requirement for both solutions is an annual Self-Assessment Questionnaire (SAQ), which is a validation tool merchants complete to help assess their PCI DSS compliance. The questionnaire can be downloaded here.
If you have a Hosted solution you have to use SAQ form A
If you have a Non-hosted Solution you have to use SAQ form D
Please submit your completed SAQ either via e-mail or fax:
E-mail: PCINorge@elavon.com
Fax: +47 22 43 22 39. Remember to mark the fax with PCI.
For more information about PCI, please visit the following websites:
PCI Security Standards
Visa's Compliance Programme
If you have any questions about the PCI requirements, please contact us on telephone +47 22 43 22 46, or send an e-mail to PCINorge@elavon.com.
