15 Apr 2015

PCI Compliance

Whether you are running a global enterprise or a small business, protecting sensitive data and mitigating risk is a complex responsibility and not something that can be done alone. The process has been becoming more and more complex and advanced every year.
Whilst us with our IT background once attempted to try and help our customers in completing PCI Documents as a good-will gesture, the complexity and the fact that we are not PCI Security Standards Council accredited means we are now no longer able to help.
In order to try and help you know what to do in relation to PCI Compliance we have written this guide.

What is PCI Compliance?

Once upon a time the responsibility for security was solely on the banks. In 2006 the PCI Security Council WebsitePCI Security Standards Council was set up set up by 5 of the main Card issuers to educate and monitor merchants security measures and  thus liability has now been passed back to the Merchants. It is now the Merchants sole responsibility to prove that they are secure and thus meet the security standards outlined by the Security Standards Council known as PCI Compliance. By being PCI Compliant you prove as a merchant that you have taken all steps possible to ensure that fraudulent transactions are not caused by your own insecure measures.

The main basis of PCI Compliance is asking you to check that anywhere cardholder data is stored, collected or processed by you as a company, that this is done with sufficient security measures in place. This is mainly to ensure that cardholders details aren't able to be accessed by anyone other than the banks/financial institutions they are being transmitted to.

Further information can be found online at the PCIS Security Standards Council Website

Nowadays if you are not PCI Compliant, some banks will charge you a fee to try and cover the costs of fraudulent transactions should they ever occur.

I have received a request from my bank to prove I am PCI Compliant. What do I do?

Customers faced with completing PCI Compliance should go to a Qualified Security Assessor for assistance. A list of some service providers can be found at the bottom of this email. 

We may look to qualify as a SQA ourselves one day as an add on service to our business, but in the mean time all customers should go to a Qualified Security Assessor

Qualified Security Assessors will be able to help with the complexities of self assessment forms and also in implementing procedures to ensure you are secure as a business and are able to demonstrate that you are successfully PCI Compliant.

Easitill is my supplier should they not be responsible in helping me with PCI Compliance?

Cardholder data security is solely the responsibility of Merchants and their third party merchant services provider such as YesPay, Worldpay etc.
In the past we have attempted to help out of goodwill, however we have discovered as we are not PCI Security Standards approved we are unable to continue to help due to liabilities and legalities.
Easitill are also not 
involved with the collection, processing or storing of cardholder data within our systems. This is all done through third party payment providers/merchant service providers such as YesPay, Worldpay etc.

Does the Easitill EPoS system collect, process or store Cardholder Data?

No. As your EPoS or website supplier, Easitill do not collect, store, process, or transmit cardholder data (CHD) within the software/ IT systems. This is all handled by the third party payment providers.

Card services are all handled by third party merchant service providers such as your Chip & Pin provider eg. Yespay, Worldpay etc or for ecommerce websites this is your Payment Gateway provider eg. SagePay, Paypoint.

If however you take card holder not present/mail-order card details then there is a certain amount of liability on you to ensure these details are secure, disposed of correctly and cannot get into the wrong hands.

Surely once i've completed PCI Compliance I don't need to do it again?

Attestation and completion of PCI Compliance forms and checks must be carried out annually and provided to your bank annually. It is only valid for 12 months and should be reviewed regularly.

PCI Compliance Qualified Security Assessors:

Security Metrics
Website: www.securitymetrics.com
Tel: 0844 561 1662
Address: Victory House, 400 Pavilion Dr.,
Northampton Business Park, Northampton, NN4 7PA, UK

Website: www.ambersail.com
Tel: 01925 600062
Address: Walton Lodge, Hill Cliffe Road, Warrington. WA4 6NU, UK

Website: www.trustwave.com
Tel: 0845 456 9611
Address: EMEA Headquarters , Westminster Tower, 3 Albert Embankment,
London, SE1 7SP, UK

Others can also be found online.

Easitill's Role in PCI Compliance

Easitill are happy to help answer any questions about EPoS & Website set up with your Qualified Security Assessor in order for them to get you PCI Compliance.
Some questions relating to the Third party payment gateways/merchant service providers (eg. YesPay, WorldPay) may need to be addressed to them directly however. We do however know that each Payment Provider also has their own PCI Certificate which they will provide you with upon request if required for your own attestation.

Please put your SQA in touch with our support team if they have any queries about the nature of the set up on 01604 882030 or by email on support@easitill.co.uk