Becoming PCI DSS Compliant
To improve security and cut fraud, the card schemes have created a set of Payment Card Industry Data Security Standards (PCI DSS) informing merchants and the payment industry how to securely store, process or transmit card data.
As a merchant you are required to adhere to the PCI DSS requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.
If you are not compliant to the PCI DSS, you will be responsible for any losses through fraud, and will be subject to considerable fines from the card schemes. In addition, your customers will suffer if their card details are compromised and your business' reputation will be seriously damaged.
To become compliant to the PCI DSS, each of your business' profiles must follow the 12 requirements below and then validate your PCI DSS status using a Qualified Security Assessor. You'll need to continuously assess your operations, fix any vulnerabilities that are identified, and always send your latest certificate of compliance to CashFlows.
Please Note: If your business does not provide us with the latest certificate of PCI DSS compliance then you will automatically be enrolled on the CashFlows Compliance Programme.
For more information about PCI DSS, please visit www.pcisecuritystandards.org.
If your business stores, processes or transmits card data, you need to meet the following 12 PCI DSS requirements.
Build and maintain a secure network
Install and maintain a firewall configuration to protect cardholder data.
Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect cardholder data
Protect stored cardholder data.
Encrypt transmission of cardholder data across open, public networks.
Maintain a vulnerability management program
Use and regularly update anti-virus software.
Develop and maintain secure systems and applications.
Implement strong access control measures
Restrict access to cardholder data by business "Need to know".
"Need to know" is when access rights are granted to only the least amount of
data and privileges needed to perform a job.
Assign a unique ID to each person with computer access.
Restrict physical access to cardholder data.
Regularly monitor and test networks
Track and monitor all access to network resources and cardholder data.
Regularly test security systems and processes.
Maintain an information security policy
Maintain a policy that addresses information security.
Whether you conduct a few payment processes or millions of transactions every year, you will need to become PCI DSS compliant. Your business' particular merchant level will determine how you MUST validate your compliance.
|Level||Criteria for level||Compliance requirements|
To validate that your business stores, processes or transmits card data securely your business must complete the following validation requirements:
Level 1 merchants only
You must perform an onsite security audit. A Qualified Security Assessor (QSA) must validate this and provide you with a certificate on compliance.
Level 2, 3 & 4 merchants
You must complete a one of four Self Assessment Questionnaires. For details on each of the questionnaires, please refer to https://www.pcisecuritystandards.org/document_library
You can also find instructions on how to complete the Self Assessment Questionnaires on the PCI SSC site at ttps://www.pcisecuritystandards.org/documents/SAQ_InstrGuidelines_v3-1.pdf
Level 4 Merchants Compliance Programme
If you are unsure about how you can become PCI DSS compliant, CashFlows has partnered with SecurityMetrics to offer a Compliance Programme designed to help merchants meet the requirements of PCI DSS and validate their status.
Alternatively, you can contact a Qualified Security Assessor (QSA) to help you with this activity. A list of QSAs can be found by visiting https://www.pcisecuritystandards.org/assessors_and_solutions/qualified_security_assessors
To help your business to become PCI DSS compliant we have a created a Compliance Programme for Level 4 merchants including both self assessment and a full certification from a Qualified Security Assessor (QSA).
Self assessment is dependent on the type of integration method you choose to use and how you intent to use cardholders details.
If you are using CashFlows' default payment page, please download and complete the following questionnaire:
Download the Self Assessment Questionnaire A - Payment Page only Merchants (WORD 247 KB)
If you are using CashFlows' Virtual Terminal, please download and complete the following questionnaire:
Download the Self Assessment Questionnaire C-VT - Virtual Terminal only Merchants (WORD 497 KB)
Note: If you are using a third party to provide you with a Payment Page or Virtual Terminal we will also require prove of the third parties PCI DSS compliance.
Please send your completed Self Assessment Questionnaires or a valid PCI DSS certificate to firstname.lastname@example.org
CashFlows in partnership with SecurityMetrics, a Qualified Security Assessor can provide a certification programme that offers a range of services including a PCI DSS audit, website certification to verify your credit card handling processes and if applicable a test on your Internet systems to determine if they comply with Payment Card Industry (PCI) Data Security Standards.
The Full Certification Programme helps you to complete the following Self Assessment Questionnaires and validate your business, highlighting any additional steps you need to take to remediate non-compliance. Upon completion of their validation they will provide your business with a certificate of compliance and a compliance logo that can be displayed on your website to show visitors that you have achieved PCI DSS compliance.
Download the Self Assessment Questionnaire C - Remote API Merchants (WORD 414 KB)
Download the Self Assessment Questionnaire D - Service Providers with full exposure to card details (WORD 1.12 MB)
The Full Certification Compliance Programme costs £99 per profile and is billable in advance annually.
If you are already compliant or wish to use your own QSA, please send your valid certificate of compliance to email@example.com