Complete PCI Compliance Guide

PCI Compliance made easy.

     Contents

     - What is PCI Compliance?

     - What happens if I don't comply with PCI compliance?

     - 12 Requirements for PCI Compliance

     - How much does it cost to become PCI Compliant?

     - How do I validate my PCI compliance?

     - Can Paytia help with PCI compliance?

     - Do I have to complete a Self-Assessment Questionnaire?

     - Enabling a BMW Main Dealership to meet it's PCI DSS obligations

     - Total Tiles Case Study

 

What is PCI Compliance?

 

pci-compliant

 

The major credit card companies - Visa, Mastercard and American Express - established the Payment Card Industry Data Security Standards (PCI-DSS) guidelines in 2006 in an effort to protect credit card data from fraud and theft.

Each year billions of dollars worth of fraudulent credit card transactions take place in the United States. PCI-DSS tries to halt the increasing trend of credit card fraud. Protecting customer data and payment information must be a priority for businesses otherwise they face devastating reputation loss.

Understanding your PCI compliance responsibilities can help your business to remain in compliance and protect it's staff and customers.

ALSO READ: What is PCI-DSS Level 1?

Return to top of page

What happens if I don't comply with PCI Compliance?

 

If you can't prove your PCI compliance then your business could face a number of negative consequences such as:

  • PCI non compliance charges
  • Damaging loss of reputation to your business.
  • Loss of customer trust.
  • Loss of customer identity and payment information.
  • Higher banking charges

 

Return to top of page

 

12 Requirements for PCI Compliance 

 

Goals Requirements
Build and Maintain a Secure Network and Systems Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need to know
Requirement 8: Identify and authenticate access to system components
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security for all personnel

ALSO READ: Credit card protection: Understanding the 12 PCI security requirements

Return to top of page

How much does it cost to become PCI Compliant

The answer to this question can depend on a number of factors. There is a cost involved in becoming compliant, however these charges can be dwarfed by the potential fine amount that could be levied by your payment provider.

 

Return to top of page

How do I validate my PCI compliance?

You can validate your businesses PCI compliance by filling out a Self-Assessment Questionnaire (SAQ). It's a way of your business proving it is taking the security measures needed to keep your customers credit card data safe. PCI SAQs vary in length but contain protocols and procedures your business should be following to keep payment card data safe.

Return to top of page

Can Paytia help with PCI Compliance?

Paytia is a PCI Level 1 Service Provider and can save you answering 93% of questions when preparing the Self-Assessment Questionnaire and prepares you for full PCI Compliance.

Paytia specialises in providing a PCI compliant payment by phone solution with our Secure Virtual Terminal, suitable for one user or call centres with our scalable payment environment. Your customers enter their details via their phone keypad, and your agent will see live input on their computer screen, but with the card number displayed as ‘XXXX.’ Paytia replaces the need for your staff to ask your customers to audibly read their sensitive credit card details and keeps you in scope for PCI compliance.

 

Return to top of page

 

Do I have to complete a Compliance Self-Assessment Questionnaire (SAQ)?

Yes your business will have to complete a compliance self assessment questionnaire in order to be recognised as PCI compliant. However, if you choose Paytia as your payment provider we can take responsibility for 93% of the questions in the compliance self assessment questionnaire.

 

The table below can help you choose the correct self-assessment questionnaire.

Questionnaire How do you accept payment cards?
A
Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Not applicable to face-to-face channels.
A-EP E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
Applicable only to e-commerce channels.
B Merchants using only:
  • Imprint machines with no electronic cardholder data storage; and/or
  • Standalone, dial-out terminals with no electronic cardholder data storage.
Not applicable to e-commerce channels.
B-IP Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage.
Not applicable to e-commerce channels.
C-VT Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage.
Not applicable to e-commerce channels.
C Merchants with payment application systems connected to the Internet, no electronic cardholder data storage.
Not applicable to e-commerce channels.
P2PE-HW Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage.
Not applicable to e-commerce channels.
D For Merchants: All merchants not included in descriptions for the above types.
D For Service Providers: All service providers defined by a payment card brand as eligible to complete a Self-Assessment Questionnaire.

 

 

 

Return to top of page

 

Enabling a BMW main dealership to meet it's PCI-DSS obligations

 

1200px-BMW.svg

 

Paytia delivered a solution that staff would be able to accept payments over the phone without impacting their GDPR or PCI compliance obligations. Enable staff identification, invoice identification and tracking and email transaction receipts to departments in real-time without affecting any existing systems. The system should be easy to use and not slow down the process of taking payments by phone.

 

READ MORE : BMW Main Dealership Case Study

Return to top of page

 

Total Tiles Case Study

 

 

unnamed-1

 

Total Tiles had two key objectives 1. Security, 2. Speed - and a number of key feature requirements.

The most urgent requirement was for customer-facing staff, who were now working from home during the pandemic, to be able to accept and process credit and debit card payments over the telephone. It was critical that this be available within days to ensure minimal interruption to their business operations, allowing them to continue within a safe and secure processing environment.

Paytia was the only company that could meet their requirements. The customer would not have to read out their credit card details to the agent working from home. Another huge benefit to the business was from the order being placed to transactions being processed took only three days! This was a fantastic achievement. A unique solution and implemented extremely quickly.

 

READ MORE: Total Tiles Case Study

Return to top of page

 

Would your company benefit from being able to take credit card payments over the telephone - without the need for the customer to read out their confidential details?

NO integration required - Quick - Easy to implement - Low cost solution - FULLY PCI DSS compliant

Request a Callback

 

Need help? Contact Us

New call-to-action