Payment Card Industry Data Security Standard (PCI DSS)

What is PCI DSS?

PCI DSS is the harmonisation of standards originally written by Visa and MasterCard in order to establish a standard set of requirements throughout the payment card industry.

The standard is mandatory to merchants and payment gateways that store, process or transmit cardholder data.
 

Why is PCI DSS necessary?

PCI DSS protects customer card data from fraudulent activity - making online shopping safer by
ensuring merchants securely process, transmit, and store card data.

Some of the requirements include:

• Install and maintain a firewall configuration to protect data
• Do not use vendor-supplied defaults for passwords or other security parameters
• Protect stored data
• Encrypt the transmission of cardholder data and sensitive information
• Use and regularly update anti-virus software
• Develop and maintain more secure systems and applications
• Restrict access to data by business need-to-know
• Assign a unique ID to each person with computer access
• Restrict physical access to cardholder data
   

CreditCall is a PCI DSS Level 1 Certified Payment Service Provider

PCI DSS compliance operates on four levels, with Level 1 being the highest level of compliance. CreditCall has been a PCI DSS Level 1 certified payment gateway under the Payment Card Industry Data Security Standard for 5 consecutive years.

CreditCall is responsible for securing all customer data, including credit and debit card data, which is solely in our possession and under our control. We comply with PCI DSS, which sets out the industry standards for maintaining a secure environment for this data.

For more details, please view our PCI DSS certificate of compliance.
 

Annual Auditing to ensure Highest Security Standard

Additionally, CreditCall is independently audited annually by a Visa Qualified Security Assessor (QSA) and is subject to rigorous security vulnerability scanning every three months.

You can confirm CreditCall’s approval status on the Visa country specific websites Visa Europe and Visa USA.
 

Does PCI DSS affect CreditCall customers?

eKashu Online Payment Page
If you use CreditCall's eKashu Online Payment Page you may not need to undergo a PCI DSS audit but will be required by your acquirer to self-certify that you are compliant.

With the Payment Page systems, the collection and storage of card details is carried out by CreditCall and is covered by our PCI DSS approval. This simplifies compliance with PCI DSS for you.

Virtual Terminal (Mail Order/Telephone Order - MOTO)
If you plan to use CreditCall's Virtual Terminal and collect the card details in order to enter them into the Terminal, it is advisable that you read through the PCI DSS requirements to make sure that you adhere to the best practice guidelines.

If you process a very small number of transactions in this way, then it is advisable for you to make sure that you destroy any cardholder data once you have entered it into the Virtual Terminal, so that you never store any cardholder data yourself.

CardEaseXML
Merchants using CardEaseXML directly integrated within their website collect card details on their site before sending them to CreditCall. If you choose to use CardEaseXML you will  need to ensure that you are PCI DSS compliant. The level of compliance will depend upon the number of transactions processed per year.

Four Levels of PCI DSS compliance

Alternatively, if you would like to find out whether PCI DSS affects you and to what level, take a look at the table below. Merchants are currently categorized into 4 levels, namely:

Level 1	Any merchant - regardless of acceptance channel - processing over 6,000,000 Visa transactions per year. Anymerchant that has suffered a hack or an attack that resulted in an account data compromise. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimise risk to the Visa system Any merchant identified by another payment card brand as a Level 1. Requires an Annual Onsite Security Audit + Quarterly Network Scan.
Level 2	Any e-commerce merchant processing 150,000 to 6,000,000 Visa transactions per year. Requires an Annual Self Assessment Questionnaire + Quarterly Network Scan.
Level 3	Any e-commerce merchant processing 20,000 to 150,000 Visa transactions per year. Requires an Annual Self Assessment Questionnaire + Quarterly Network Scan.
Level 4	All other merchants, regardless of acceptance channel Strongly recommended an Annual Self Assessment Questionnaire + Annual Network Scan.

How do I comply?

Depending on your level of classification in the above table, you can either carry out a self-assessment or you will need a specialist company known as a QSA (Qualified Security Assessor) to audit your business.

If you fail an audit you will be given a period of time to make the recommended changes to your security procedures. If you refuse to comply with the audits or if you experience a breach in security, you may be subjected to heavy fines and in extreme cases you may be prevented from accepting cards.

© 2012 CreditCall All Rights Reserved

Contact Us  l  Site Map  l  Legal Notices  l  Terms of Use  l  Your Privacy Rights  l  Site by Contrast