Payment Card Industry Data Security Standard (PCI DSS)

The Card Schemes are becoming increasingly concerned with the level of security protecting account and transaction information. They need to ensure that the level of protection a merchant employs is sufficient to deter hackers and criminals.

MasterCard announced in August 2005 that it was increasing the assessments that it would levy for merchants that are non-compliant with the PCI DSS. This was done to ‘reflect the important role played by the PCI DSS programme in maintaining the integrity of the MasterCard Payment system.’

If you do not comply, the Card Schemes may levy a charge on you for non-compliance.

If you are non-compliant, and then your systems are attacked and cardholder data is compromised, you could lose your card acquiring facility.

If the Card Schemes have accredited your agent then you will be able to use them. If not, you will need to choose another agent from the Card Schemes approved list.

If you use a PSP and your integration method means that your web shop software and back end systems do not store the card data on your systems then compliance with the standard will be undertaken by your PSP. You should ensure that they are compliant or working towards compliance. However, Streamline would recommend that you still carry out a review of your general data security practices on a regular basis.

However if you use a PSP but your integration method still enables you to capture the card details on your web shop software and back office systems then you will still need to comply with the standard.

If you have any doubt on the nature of your PSP integration please contact your PSP to confirm your type of integration and if the standard applies to you.

If you also process face to face and/or MOTO transactions it is likely that you will need to become compliant with PCI DSS irrespective of your PSP integration method.

An agent is a 3rd party company, business or person that you have used to undertake a part of your credit / debit card payment process. If the 3rd party stores, transmits or processes card data for you then they will need to be included - you will need to give Streamline the details. Examples of agents are businesses that a) provide a managed or hosted processing service, b) fulfilment houses who process credit/debit card orders on your behalf, c) undertake card data storage facilities for you. If you are in doubt we recommend you provide the details

Streamline supports the principle behind PCI DSS (Payment Card Industry Data Security Standards) which is to keep cardholder & transaction data secure. However there can be various parties which our retailer customers have individually contracted with, that are involved in the transaction process and may store, process or transmit sensitive card data. Unfortunately Streamline doesn’t always know who these 3rd parties are, and therefore we don't know if they are keeping card data securely by complying with PCI DSS.

It is the merchant who takes the card payment details who is responsible for the security of the card data. So if a retailer customer uses a 3rd party agent the retailer should make sure the agent is PCI DSS compliant, because any account data compromise at the agent may result in adverse publicity & ultimately potential fines for the retailer.

Streamline will be collating all the responses from merchant customers with our own list of known 3rd party agents, to create an up to date list which will be shared with card schemes. We will be working with the card schemes to make sure these agents are PCI DSS compliant, but the responsibility for the data remains with the merchant.

Please provide the information requested as soon as you can.

Streamline strongly recommends that merchants using 3rd party agents that store, process or transmit card data use only those agents that are PCI DSS compliant. If you are not sure, we recommend you contact the agents you use and ask them to confirm they are PCI DSS compliant.

Simply, nothing in the short term; But in the long term, if we don't know about the agents you use we can't help you keep your card data secure - the agents may be excluded from PCI DSS letters and other activity designed to raise awareness and achieve compliance with the PCI DSS.

For more information on the PCI DSS please go to:
http://www.pcisecuritystandards.org/

The following links provides detailed guidance for Merchants:

Visa:
http://www.visaeurope.com/aboutvisa/security/ais/
resourcesanddownloads.jsp

MasterCard: http://www.mastercard.com/uk/merchant/
en/security/what_can_do/SDP/merchant/index.html