Becoming PCI DSS Compliant

To improve security and cut fraud, the card schemes have created a set of Payment Card Industry Data Security Standards (PCI DSS) informing merchants and the payment industry how to securely store, process or transmit card data.

As a merchant you are required to adhere to the PCI DSS requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.

If you are not compliant to the PCI DSS, you will be responsible for any losses through fraud, and will be subject to considerable fines from the card schemes. In addition, your customers will suffer if their card details are compromised and your business' reputation will be seriously damaged.

To become compliant to the PCI DSS, each of your business' profiles must follow the 12 requirements below and then validate your PCI DSS status using a Qualified Security Assessor. You'll need to continuously assess your operations, fix any vulnerabilities that are identified, and always send your latest certificate of compliance to CashFlows.

Please Note: If your business does not provide us with the latest certificate of PCI DSS compliance then you will automatically be enrolled on the CashFlows Compliance Programme.

For more information about PCI DSS, please visit www.pcisecuritystandards.org.

If your business stores, processes or transmits card data, you need to meet the following 12 PCI DSS requirements.

Build and maintain a secure network

  1. Install and maintain a firewall configuration to protect cardholder data.

  2. Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect cardholder data

  1. Protect stored cardholder data.

  2. Encrypt transmission of cardholder data across open, public networks.

Maintain a vulnerability management program

  1. Use and regularly update anti-virus software.

  2. Develop and maintain secure systems and applications.

Implement strong access control measures

  1. Restrict access to cardholder data by business "Need to know".
    "Need to know" is when access rights are granted to only the least amount of
    data and privileges needed to perform a job.

  2. Assign a unique ID to each person with computer access.

  3. Restrict physical access to cardholder data.

Regularly monitor and test networks

  1. Track and monitor all access to network resources and cardholder data.

  2. Regularly test security systems and processes.

Maintain an information security policy

  1. Maintain a policy that addresses information security.

Whether you conduct a few payment processes or millions of transactions every year, you will need to become PCI DSS compliant. Your business' particular merchant level will determine how you MUST validate your compliance.

Level Criteria for level Compliance requirements
1
  • Any merchant processing over 6 million VISA or Mastercard transactions a year
  • Any compromised merchant
  • Annual onsite security assessment
  • Quarterly network scan may be required if your cardholder data infrastructure is connected to the internet
2
  • Any merchant processing one to six million VISA or Mastercard transactions a year
  • Annual Self Assessment Questionnaire
  • Quarterly network scan may be required if your cardholder data infrastructure is connected to the internet
3
  • Any merchant processing 20,000 to one million VISA or Mastercard e-Commerce transactions a year
  • Annual Self Assessment Questionnaire
  • Quarterly network scan may be required if your cardholder data infrastructure is connected to the internet
4
  • Any merchant processing fewer than 20,000 VISA or Mastercard transactions a year
  • All other merchants processing up to one million VISA or Mastercard transactions a year
  • Annual self-assessment questionnaire
  • Quarterly network scan may be required if your cardholder data infrastructure is connected to the internet

To validate that your business stores, processes or transmits card data securely your business must complete the following validation requirements:

Level 1 merchants only

You must perform an onsite security audit. A Qualified Security Assessor (QSA) must validate this and provide you with a certificate on compliance.

Level 2, 3 & 4 merchants

You must complete a one of four Self Assessment Questionnaires. For details on each of the questionnaires, please refer to https://www.pcisecuritystandards.org/document_library

You can also find instructions on how to complete the Self Assessment Questionnaires on the PCI SSC site at ttps://www.pcisecuritystandards.org/documents/SAQ_InstrGuidelines_v3-1.pdf

Level 4 Merchants Compliance Programme

If you are unsure about how you can become PCI DSS compliant, CashFlows has partnered with SecurityMetrics to offer a Compliance Programme designed to help merchants meet the requirements of PCI DSS and validate their status.

Alternatively, you can contact a Qualified Security Assessor (QSA) to help you with this activity. A list of QSAs can be found by visiting https://www.pcisecuritystandards.org/assessors_and_solutions/qualified_security_assessors

To help your business to become PCI DSS compliant we have a created a Compliance Programme for Level 4 merchants including both self assessment and a full certification from a Qualified Security Assessor (QSA).

Self Assessment

Self assessment is dependent on the type of integration method you choose to use and how you intent to use cardholders details.

If you are using CashFlows' default payment page, please download and complete the following questionnaire:

Download IconDownload the Self Assessment Questionnaire A - Payment Page only Merchants (WORD 247 KB)

If you are using CashFlows' Virtual Terminal, please download and complete the following questionnaire:

Download IconDownload the Self Assessment Questionnaire C-VT - Virtual Terminal only Merchants (WORD 497 KB)

Note: If you are using a third party to provide you with a Payment Page or Virtual Terminal we will also require prove of the third parties PCI DSS compliance.

Please send your completed Self Assessment Questionnaires or a valid PCI DSS certificate to pci@cashflows.com

Full Certification

CashFlows in partnership with SecurityMetrics, a Qualified Security Assessor can provide a certification programme that offers a range of services including a PCI DSS audit, website certification to verify your credit card handling processes and if applicable a test on your Internet systems to determine if they comply with Payment Card Industry (PCI) Data Security Standards.

The Full Certification Programme helps you to complete the following Self Assessment Questionnaires and validate your business, highlighting any additional steps you need to take to remediate non-compliance. Upon completion of their validation they will provide your business with a certificate of compliance and a compliance logo that can be displayed on your website to show visitors that you have achieved PCI DSS compliance.

Download IconDownload the Self Assessment Questionnaire C - Remote API Merchants (WORD 414 KB)

Download IconDownload the Self Assessment Questionnaire D - Service Providers with full exposure to card details (WORD 1.12 MB)

The Full Certification Compliance Programme costs £99 per profile and is billable in advance annually.

If you are already compliant or wish to use your own QSA, please send your valid certificate of compliance to pci@cashflows.com