White Papers

2. PCI DSS (Payment Card Industry Data Security Standard)

 Printer Friendly Version

The Payment Card Industry (a forum including American Express, JCB, MasterCard and Visa) sets very high standards for data security for anyone handling details of customer's credit and debit cards and the standards only get more stringent with each new release of PCI DSS.

Arguably, this is as it should be since this is highly sensitive information and a very real threat - according to FFA UK, fraud losses on UK-issued cards totalled £567.5 million in 2015. In addition, the fines for data loss are punitive (in the region of €20,000 per loss).

The requirements, however, on the IT infrastructure of the typical SME are so onerous that the advice generally is that it is better to avoid any interaction with your customer's card details. This not only applies to the storage of them but implementing systems so that they do not pass through your hands in the first place. This is referred to in PCI DSS terminology as taking your systems out of scope.

In essence, this is dealing with the problem of card security by avoiding the need for it!

 

2.1 What is covered by PCI DSS?

Whilst some may think that PCI DSS is all about website security, it isn't! The requirements of PCI DSS apply to all of your business's interactions with customer's credit and debit cards, including:

  • Payments via your website
  • Payments over the phone
  • Customers paying using a Chip & Pin terminal (wired, WiFi and Cellular)

PCI DSS is also not only about IT - it covers your internal processes should you have a manual (paper based) backup system for when your network, Internet connection or power supply is down.

 

2.2 Can axisfirst advise me on achieving PCI DSS compliance?

No! Advice, guidance and assessment for PCI DSS needs to be performed by a Qualified Security Assessor, or QSA, and axisfirst is not a QSA.

There are individuals working as QSA consultants and a number of specialist companies offering QSA services - one will probably have been recommended to you by your acquiring bank but a simple web search will identify many more.

QSAs exist to provide consultancy to companies on PCI DSS compliance and will charge commercial consultancy rates for their advice - and, because they are offering a highly specialist service that requires a very particular skill set, these services generally carry a significant premium. Daily rates are certainly within the 4 figure bracket and a PCI DSS assessment will invariably take a number of days.

 

2.3 Taking your systems out of scope

If you need to to be fully PCI DSS compliant, you will need to budget for an annual inspection by a QSA, subscribe to regular penetration tests of your website and network and then budget to implement their recommendations.

Alternatively, you can aim to put your ICT infrastucture and your website out of scope by ensuring that customer's card details never touch them! Assuming that you still want to accept card payments, there are a number of ways of addressing this.

 

2.3.1 Website

All axis vMerchant websites built by axisfirst will use hosted payment pages provided by the Payment Service provider (PSP); typically Opayo.

This means that, at the point your customer supplies their card details during the checkout process, they are not actually on your axis vMerchant website or web server but are actually on the Payment Service Provider's site.

You should ensure that you obtain a certificate of PCI compliance from the Payment Service Provider at least annually.

 

2.3.2 Telesales

Taking card details over the phone (known in the banking world as MOTO - Mail Order/Telephone Order) and processing them in a way that keeps your network out of scope is a more complex situation than your website.

If, for example, you record any telephone calls and those call recordings include people reading out their card details then (assuming those call recordings are accessible on your network) this brings your entire network under the requirements of PCI DSS.

Even if you do not record calls, if card details are spoken and your telephone calls use VoIP (Voice over IP), whether from a computer or dedicated phone system, then your phone system and all or a part of your ICT infrastructure may fall into the scope of PCI DSS.

Similarly, if you type customer's card details into software, even a web browser, and that software runs on a machine on your network then, again, a part or all of your network comes within the scope of PCI DSS.

There are a number of options for handling MOTO payments whilst avoiding the card details passing through your network - either by using a specialist 3rd party service (such as Aeriandi AgentPay) or by taking steps to reduce the number of occasions when you need to take payments over the phone. Any remaining situations can be processed manually using a payment terminal ("PDQ" machine) or a web browser not on your network (such as a tablet using the cellular 3G/4G network) to enter the payment via a PSP's payment portal.

Remember also that other company policies can help reduce the need for phone-based payments - for example, charging for delivery on telephone orders but offering free delivery on web orders.

 
2.3.2.1 Aeriandi Opayo

Aeriandi AgentPay sits between your telesales operator and your customer and masks the card details from the phone call whilst simultaneously passing those details to the PSP for processing. The payment transaction details are then passed to axis diplomat in the same way that web transactions would be.

Whilst on the phone, the customer is asked to enter their card details using their phone keypad (using touchtones or "DTMF"). Alternatively, they can read out their card details and Aeriandi will capture them using voice recognition. The card details are filtered from the call before it reaches your phone system or network. Your telesales operator stays on the line but cannot hear the card details and does not have to process the payment themselves.

axis diplomat can support Aeriandi AgentPay when used in conjunction with Opayo as the Payment Service Provider.

 
2.3.2.2 Tokens

Opayo offer a facility known as Opayo Tokens. This mechanism means that anyone using your website checkout has the ability to save their card details for future use. The card details are saved by Opayo and then simply referenced by a unique Token or ID, this allows returning visitors to pay using a saved card whilst still keeping your website out of scope for PCI DSS as card details are not stored.

Token details can be imported into axis diplomat from your axis vMerchant website (along with the sales order) and are then available for future telesales orders from the same customer. This means that you do not need to take card details from callers who are making repeat purchases provided that they want to re-use a card that they have previously used on your website.

 
2.3.2.3 Online Payments

axis diplomat can create an automatic email that is sent to your customer as part of the usual order entry process. That email contains a link to a payment page hosted by us (for example, on your axis vMerchant web site if you have one) where they make the payment in a similar manner to checking out on your website. In conjunction with the token mechanism described above, they would only need to do this once as future telephone or web orders could be paid using the saved card details.

 
2.3.2.4 Payment Portal

If you implement both processes above then you could find that the only payments you need to take over the phone are those for customers who don't have an email address, are not near a computer or do not like entering their card details into a website.

This remaining number may be small enough for you to manage the inconvenience of using a payment terminal. Alternatively, your card provider may permit the use a device with a web browser that is not attached to your network to enter a payment using your Payment Service Provider's online portal. If you do this with Opayo  (via their website) then axis diplomat can automatically import the payment details and match them to a sales order.

 

2.3.3 Which solution is best?

If you only ever take card payments on your axis vMerchant web site and not by any other means then the vMerchant PSP checkout should ensure that you remain out of scope.

If you take telephone orders but are happy to accept payment using only those cards which the customer has previously used for a payment on your axis vMerchant web site (and for which you therefore have a token) then consider implementing Opayo tokens.

If you take telephone orders and need to be able to accept payments using card(s) for which you have no token then consider an Online Payment portal and/or using Aeriandi AgentPay in conjunction with Opayo.

 

 

2.4 References

 

2.5 Disclaimer

The information, advice and opinions shown above represent our understanding at the time of publication (April 2017). axisfirst are not Qualified Security Assessors (QSA) or PCI DSS Consultants.

axisfirst always recommends that you consult the services of a QSA or qualified PCI DSS Consultant before making decisions regarding payment card security.

 Printer Friendly Version

< Data Security

Options for B2C E-commerce Sales into Europe from 1st July 2021 >

Call Back
This site uses cookies. By continuing to access this site you are accepting the use of cookies by this site.
Read more about cookies...
OK

Cookies are small text files stored on your device when you access most websites on the internet.

This Website uses cookies in order to make the Website easier to use, to support the provision of information and functionality to you, as well as to provide us with information about how the Website is used so that we can make sure it is as up to date, relevant and error free as far as we can. Further information about the types of cookies that are used on this Website is set out in the box below.

By using this Website you agree to our use of cookies. You can choose to restrict or block cookies set on the Website through your browser settings at any time. For more information about how to do this, and about cookies in general, you can visit www.allaboutcookies.org. Please note that certain cookies may be set as soon as you visit the Website, but you can remove them using your browser settings.

However, please be aware that restricting or blocking cookies set on the Website may impact the functionality or performance of the Website, or prevent you from using certain services provided through the Website. It will also affect our ability to update the Website to cater for user preferences and improve performance.

We don’t sell the information collected by cookies, nor do we disclose the information to third parties, except where required by law (for example to law enforcement agencies).

We may sometimes embed content from 3rd party websites such as YouTube. As a result, when you visit a page containing such content, you may be presented with cookies from these websites. We do not control the dissemination of these cookies and you should check the relevant third party's website for more information.

Cookies We Use

Cookie Description
CookieConfirm The presence of this cookie is used to remember the fact that you have confirmed that you are happy to accept cookies
ASPSESSIONIDxxxxxxxx This is a Session Cookie (session cookies are temporary and are erased when you close your browser). It identifies you from one page to the next and is used, for example, to keep track of your logged-in status.
UserID, account, password These cookies are used to remember your login credentials for when you next visit our website. They are only created if you choose the “Remember Me” option on the login page.
_utma, _utmb, _utmc, _utmz These are cookies created by Google Analytics and are used to provide us information on which web pages are the most popular, and the most popular search terms used by visitors arriving at our site.