White Papers
|
2. PCI DSS (Payment Card Industry Data Security Standard)
|
Printer Friendly Version
|
The Payment Card Industry (a forum including American Express, JCB, MasterCard and Visa) sets very high standards for data security for anyone handling details of customer's credit and debit cards and the standards only get more stringent with each new release of PCI DSS.
Arguably, this is as it should be since this is highly sensitive information and a very real threat - according to FFA UK, fraud losses on UK-issued cards totalled £567.5 million in 2015. In addition, the fines for data loss are punitive (in the region of €20,000 per loss).
The requirements, however, on the IT infrastructure of the typical SME are so onerous that the advice generally is that it is better to avoid any interaction with your customer's card details. This not only applies to the storage of them but implementing systems so that they do not pass through your hands in the first place. This is referred to in PCI DSS terminology as taking your systems out of scope.
In essence, this is dealing with the problem of card security by avoiding the need for it!
|
|
2.1 What is covered by PCI DSS?
|
Whilst some may think that PCI DSS is all about website security, it isn't! The requirements of PCI DSS apply to all of your business's interactions with customer's credit and debit cards, including:
- Payments via your website
- Payments over the phone
- Customers paying using a Chip & Pin terminal (wired, WiFi and Cellular)
PCI DSS is also not only about IT - it covers your internal processes should you have a manual (paper based) backup system for when your network, Internet connection or power supply is down.
|
|
2.2 Can axisfirst advise me on achieving PCI DSS compliance?
|
No! Advice, guidance and assessment for PCI DSS needs to be performed by a Qualified Security Assessor, or QSA, and axisfirst is not a QSA.
There are individuals working as QSA consultants and a number of specialist companies offering QSA services - one will probably have been recommended to you by your acquiring bank but a simple web search will identify many more.
QSAs exist to provide consultancy to companies on PCI DSS compliance and will charge commercial consultancy rates for their advice - and, because they are offering a highly specialist service that requires a very particular skill set, these services generally carry a significant premium. Daily rates are certainly within the 4 figure bracket and a PCI DSS assessment will invariably take a number of days.
|
|
2.3 Taking your systems out of scope
|
If you need to to be fully PCI DSS compliant, you will need to budget for an annual inspection by a QSA, subscribe to regular penetration tests of your website and network and then budget to implement their recommendations.
Alternatively, you can aim to put your ICT infrastucture and your website out of scope by ensuring that customer's card details never touch them! Assuming that you still want to accept card payments, there are a number of ways of addressing this.
|
|
2.3.1 Website
|
All axis vMerchant websites built by axisfirst will use hosted payment pages provided by the Payment Service provider (PSP); typically Opayo.
This means that, at the point your customer supplies their card details during the checkout process, they are not actually on your axis vMerchant website or web server but are actually on the Payment Service Provider's site.
You should ensure that you obtain a certificate of PCI compliance from the Payment Service Provider at least annually.
|
|
2.3.2 Telesales
|
Taking card details over the phone (known in the banking world as MOTO - Mail Order/Telephone Order) and processing them in a way that keeps your network out of scope is a more complex situation than your website.
If, for example, you record any telephone calls and those call recordings include people reading out their card details then (assuming those call recordings are accessible on your network) this brings your entire network under the requirements of PCI DSS.
Even if you do not record calls, if card details are spoken and your telephone calls use VoIP (Voice over IP), whether from a computer or dedicated phone system, then your phone system and all or a part of your ICT infrastructure may fall into the scope of PCI DSS.
Similarly, if you type customer's card details into software, even a web browser, and that software runs on a machine on your network then, again, a part or all of your network comes within the scope of PCI DSS.
There are a number of options for handling MOTO payments whilst avoiding the card details passing through your network - either by using a specialist 3rd party service (such as Aeriandi AgentPay) or by taking steps to reduce the number of occasions when you need to take payments over the phone. Any remaining situations can be processed manually using a payment terminal ("PDQ" machine) or a web browser not on your network (such as a tablet using the cellular 3G/4G network) to enter the payment via a PSP's payment portal.
Remember also that other company policies can help reduce the need for phone-based payments - for example, charging for delivery on telephone orders but offering free delivery on web orders.
|
|
2.3.2.1 Aeriandi Opayo
|
Aeriandi AgentPay sits between your telesales operator and your customer and masks the card details from the phone call whilst simultaneously passing those details to the PSP for processing. The payment transaction details are then passed to axis diplomat in the same way that web transactions would be.
Whilst on the phone, the customer is asked to enter their card details using their phone keypad (using touchtones or "DTMF"). Alternatively, they can read out their card details and Aeriandi will capture them using voice recognition. The card details are filtered from the call before it reaches your phone system or network. Your telesales operator stays on the line but cannot hear the card details and does not have to process the payment themselves.
axis diplomat can support Aeriandi AgentPay when used in conjunction with Opayo as the Payment Service Provider.
|
|
2.3.2.2 Tokens
|
Opayo offer a facility known as Opayo Tokens. This mechanism means that anyone using your website checkout has the ability to save their card details for future use. The card details are saved by Opayo and then simply referenced by a unique Token or ID, this allows returning visitors to pay using a saved card whilst still keeping your website out of scope for PCI DSS as card details are not stored.
Token details can be imported into axis diplomat from your axis vMerchant website (along with the sales order) and are then available for future telesales orders from the same customer. This means that you do not need to take card details from callers who are making repeat purchases provided that they want to re-use a card that they have previously used on your website.
|
|
2.3.2.3 Online Payments
|
axis diplomat can create an automatic email that is sent to your customer as part of the usual order entry process. That email contains a link to a payment page hosted by us (for example, on your axis vMerchant web site if you have one) where they make the payment in a similar manner to checking out on your website. In conjunction with the token mechanism described above, they would only need to do this once as future telephone or web orders could be paid using the saved card details.
|
|
2.3.2.4 Payment Portal
|
If you implement both processes above then you could find that the only payments you need to take over the phone are those for customers who don't have an email address, are not near a computer or do not like entering their card details into a website.
This remaining number may be small enough for you to manage the inconvenience of using a payment terminal. Alternatively, your card provider may permit the use a device with a web browser that is not attached to your network to enter a payment using your Payment Service Provider's online portal. If you do this with Opayo (via their website) then axis diplomat can automatically import the payment details and match them to a sales order.
|
|
2.3.3 Which solution is best?
|
If you only ever take card payments on your axis vMerchant web site and not by any other means then the vMerchant PSP checkout should ensure that you remain out of scope.
If you take telephone orders but are happy to accept payment using only those cards which the customer has previously used for a payment on your axis vMerchant web site (and for which you therefore have a token) then consider implementing Opayo tokens.
If you take telephone orders and need to be able to accept payments using card(s) for which you have no token then consider an Online Payment portal and/or using Aeriandi AgentPay in conjunction with Opayo.
|
|
2.4 References
|
|
|
2.5 Disclaimer
|
The information, advice and opinions shown above represent our understanding at the time of publication (April 2017). axisfirst are not Qualified Security Assessors (QSA) or PCI DSS Consultants.
axisfirst always recommends that you consult the services of a QSA or qualified PCI DSS Consultant before making decisions regarding payment card security.
|
Printer Friendly Version
|
|
|