PCI DSS is the harmonisation of standards originally written by Visa and MasterCard in order to establish a standard set of requirements throughout the payment card industry.
The standard is mandatory to merchants and payment gateways that store, process or transmit cardholder data.
PCI DSS protects customer card data from fraudulent activity - making online shopping safer by
ensuring merchants securely process, transmit, and store card data.
Some of the requirements include:
PCI DSS compliance operates on four levels, with Level 1 being the highest level of compliance. CreditCall has been a PCI DSS Level 1 certified payment gateway under the Payment Card Industry Data Security Standard for 5 consecutive years.
CreditCall is responsible for securing all customer data, including credit and debit card data, which is solely in our possession and under our control. We comply with PCI DSS, which sets out the industry standards for maintaining a secure environment for this data.
For more details, please view our PCI DSS certificate of compliance.
Additionally, CreditCall is independently audited annually by a Visa Qualified Security Assessor (QSA) and is subject to rigorous security vulnerability scanning every three months.
eKashu Online Payment Page
If you use CreditCall's eKashu Online Payment Page you may not need to undergo a PCI DSS audit but will be required by your acquirer to self-certify that you are compliant.
With the Payment Page systems, the collection and storage of card details is carried out by CreditCall and is covered by our PCI DSS approval. This simplifies compliance with PCI DSS for you.
Virtual Terminal (Mail Order/Telephone Order - MOTO)
If you plan to use CreditCall's Virtual Terminal and collect the card details in order to enter them into the Terminal, it is advisable that you read through the PCI DSS requirements to make sure that you adhere to the best practice guidelines.
If you process a very small number of transactions in this way, then it is advisable for you to make sure that you destroy any cardholder data once you have entered it into the Virtual Terminal, so that you never store any cardholder data yourself.
Merchants using CardEaseXML directly integrated within their website collect card details on their site before sending them to CreditCall. If you choose to use CardEaseXML you will need to ensure that you are PCI DSS compliant. The level of compliance will depend upon the number of transactions processed per year.
Alternatively, if you would like to find out whether PCI DSS affects you and to what level, take a look at the table below. Merchants are currently categorized into 4 levels, namely:
|Any merchant - regardless of acceptance channel - processing over 6,000,000 Visa transactions per year. Anymerchant that has suffered a hack or an attack that resulted in an account data compromise. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimise risk to the Visa system Any merchant identified by another payment card brand as a Level 1. Requires an Annual Onsite Security Audit + Quarterly Network Scan.|
|Any e-commerce merchant processing 150,000 to 6,000,000 Visa transactions per year. Requires an Annual Self Assessment Questionnaire + Quarterly Network Scan.|
|Any e-commerce merchant processing 20,000 to 150,000 Visa transactions per year. Requires an Annual Self Assessment Questionnaire + Quarterly Network Scan.|
|All other merchants, regardless of acceptance channel Strongly recommended an Annual Self Assessment Questionnaire + Annual Network Scan.|
Depending on your level of classification in the above table, you can either carry out a self-assessment or you will need a specialist company known as a QSA (Qualified Security Assessor) to audit your business.
If you fail an audit you will be given a period of time to make the recommended changes to your security procedures. If you refuse to comply with the audits or if you experience a breach in security, you may be subjected to heavy fines and in extreme cases you may be prevented from accepting cards.