Improving Payment Card Security and PCI DSS Compliance
- Introduction
- Common Misconceptions
- Taking Systems Out of Scope
- Websites
- Telesales
- Further Information
Introduction
PCI, the Payment Card Industry (a forum including American Express, JCB, MasterCard and Visa) sets very high standards for data security for anyone handling details of customer's credit and debit cards through their Data Security Standard, DSS.
The security requirements laid out within PCI DSS only get more stringent with each new release of PCI DSS. Fines and penalties for non-compliance are punitive aside from the reputational damage resulting from a data loss. Fines for a data breach usually run into tens of thousands of pounds. If you are suspected of having a data breach (by being a "Common Point of Purchase" or CPP) you will be required to engage with a PCI Forensic Investigator and the cost of this investigation may also run into thousands of pounds.
Common misconceptions regarding PCI DSS
"PCI DSS only applies to my computer system"
No, PCI DSS is not just about your IT infrastructure. It covers your entire business process, right down to laying down recommendations and stipulations on the background security checks that you are expected to carry out when employing staff who will come into contact with payment cards.
"PCI DSS doesn't apply if I don't store card details"
No, PCI DSS refers throughout to transmitting card data as well as storing it. This means if you only type a customer's card details into software, even just a web browser, then that computer, the entire network it is attached to, and the member of staff doing it, all fall within the scope of PCI DSS.
"I subscribe to quarterly Penetration Testing so I'm PCI Compliant"
No, Penetration Testing (whereby software attempts to 'hack' into your systems via the Internet) may check that your network and servers are secure from outside attack. There are many other requirements that are not tested by external Penetration Tests, such as ensuring that your WiFi is secure, all software and anti-virus software is correctly configured and updated and that you maintain full access logs.
"There is no alternative to expensive and onerous PCI Compliance"
Fortunately, for most small and medium-sized businesses, there is!
The alternative is to take your systems "out of scope". If you, your staff and your IT infrastructure never come into contact with card details at all, then PCI DSS may not apply to those systems.
Taking Systems Out of Scope
Websites
Traditionally, this has always been the easiest aspect of your business to take out of scope. Every axis vMerchant website built by axisfirst, for example, will use hosted payment pages provided by your Payment Service Provider (PSP), usually Opayo (formerly SagePay). Your customer enters their card details into a form that is actually running on the PSP's server not yours so the card details never pass through your web server. The PSP then provides a unique transaction reference to allow you to take payment without knowing the card details.
Telephone Payments
Until now, taking card payments from customers on the 'phone has inevitably meant that large parts of your business fall within the scope of PCI DSS. A number of modules available for axis diplomat 2024 now make it possible to take card payments without coming into contact with the card details themselves.
The axis diplomat 2024 Aeriandi / Opayo Interface uses a third party solution that captures card details from the phone call whilst masking them from your staff. These details are then passed to Opayo and a unique transaction ID is then imported into axis diplomat in the same way as for a website transaction. This is the recommended solution for those with VoIP or call recording phone systems.
axis diplomat 2024 Opayo Tokens uses an optional bolt-on service from Opayo to allow customers to store their card details via your website for future use. The card details are stored by Opayo so do not affect your PCI compliance. Those tokens are available when they make subsequent purchases on your website but also available to telesales staff to take payment within axis diplomat - either for an order or for payments on account.
The axis diplomat 2024 Online Payments module allows you to send an email when filing a sales order, with a link to an online payment form and also has a Pro Forma Invoice attached. If the customer uses this mechanism once then, when used in conjunction with the Opayo Tokens module described above, subsequent orders can be paid using the stored card.
For situations where you still need to take card details over the phone, you can use the axis diplomat 2024 Opayo Terminal Payments module to enter card details into Opayo's online website portal ("MySagePay"). In order to keep your network out of scope, one suggestion is to do this via an iPad or similar tablet running over the 3G/4G mobile network rather than using your company WiFi. Those payment details are then imported automatically into axis diplomat and matched to the appropriate sales order.
axis portal
For those without an axis vMerchant website (particularly those for whom an eCommerce website is not approriate, such as bespoke engineering or service-driven companies), axis portal allows you to offer your customers online card management with tokens and online payments of Pro Forma invoices.
Further Information
For more information on these modules, please visit:
https://www.axisfirst.co.uk/software/axisdiplomat/modules/Payment-Card-Security/16717
For further information on axis portal, please visit:
https://www.axisfirst.co.uk/web/portal/
For further information on Aeriandi's solution, please visit:
https://www.aeriandi.com/services/pci-phone-payments/
To find out more about card payment options for axis diplomat 2024 please call us or use this contact form:
DISCLAIMER axisfirst is not a Qualified Security Assessor (QSA) and the information provided above is purely based on our interpretation of the PCI DSS stipulations. If you are in any doubt, we strongly recommend that you consult with a QSA. A number of QSAs can be found via the Internet or your bank may be able to help you further.