FAQ - Payment Card Industry Data Security Standard - PCI DSS
What is PCIDSS?
PCIDSS stands for Payment Card Industry Data Security Standard
It is the security scheme introduced by the credit card issuers - Amex, Visa, MasterCard etc etc
The scheme was created to rebuild the trust between purchasers, card brands and vendors
The scheme will ensure all merchants protect the data they are given during and after a transaction
The scheme is aligned with other consumer data protections and ensures credit card information is secured
What is the "Annual Compliance Scan"?
The scan is an annual check of vendors to make sure they are complying with card data standards
Typically a senior executive must answer a series of questions covering online and offline management of cardholder data
You must pass this assessment to be able to take card payments
Typically a senior executive must answer a series of questions covering online and offline management of cardholder data
You must pass this assessment to be able to take card payments
Who does it affect?
Anyone who takes a credit card payment
All traders who take credit card payments are affected
There are different expectations and requirements for vendors covering every transaction type including shops, stores, cafes, restaurants, gas stations, exhibitors, trade shows, telephone orders, onlinecarts etc etc
From the smallest one-person business to the largest globalmulti-nationals
Every trader, dealer, merchant, retailer, wholesaler, manufacturer and business that takes card payment must secure and protect the data they receive to process a credit card transaction
All traders who take credit card payments are affected
There are different expectations and requirements for vendors covering every transaction type including shops, stores, cafes, restaurants, gas stations, exhibitors, trade shows, telephone orders, online
From the smallest one-person business to the largest global
Every trader, dealer, merchant, retailer, wholesaler, manufacturer and business that takes card payment must secure and protect the data they receive to process a credit card transaction
Will it affect my MemberGate site?
Yes, if you already have or intend to have paying subscribers
Allweb-sites taking card payment must comply with PCIDSS
Including membership and subscription sites
All
Including membership and subscription sites
Why should I care?
You could be put out of business
There are a series of penalties for not paying due care and attention to the collection, storage and security of the data used in a credit card transaction
Fines and penalties can be applied for each instance of failure
Credit card facilities can be placed on hold or even removed
There are a series of penalties for not paying due care and attention to the collection, storage and security of the data used in a credit card transaction
Fines and penalties can be applied for each instance of failure
Credit card facilities can be placed on hold or even removed
I've just got my annual PCIDSS Check-up.
What do I have to do?
Your merchant provider or payment gateway will expect you to pass an annual PCIDSS check
Depending on who they have licensed to run these checks the questions may be different - but the objective is the same
You will be expected to know how you capture, process, store and destroy the data you acquire for every card transaction
The more ways you take payment, the more systems you must have in place to manage and protect the data
Depending on who they have licensed to run these checks the questions may be different - but the objective is the same
You will be expected to know how you capture, process, store and destroy the data you acquire for every card transaction
The more ways you take payment, the more systems you must have in place to manage and protect the data
How are MemberGate helping?
What are Tokens?
We have already rolled out a major update to ensure MemberGate Infinity meets the current standard
MemberGate Infinity does not store the card details but uses a 'Token' provided by the Payment Gateway
The Payment Gateways must provide the highest level of data security, any sites using their Token Systems, are covered by the Payment Gateway
This means MemberGate sites can pass the PCIDSS checks at the simplest level as no card data is stored on the MemberGate site or server
MemberGate Infinity does not store the card details but uses a 'Token' provided by the Payment Gateway
The Payment Gateways must provide the highest level of data security, any sites using their Token Systems, are covered by the Payment Gateway
This means MemberGate sites can pass the PCIDSS checks at the simplest level as no card data is stored on the MemberGate site or server
Why can't the MemberGate team complete my form?
We can't complete the forms on your behalf
Most of the questions are about the different ways you take card payment and how you handle the data you collect
Only you can answer these questions about your business practices and systems
We can tell you that using the Token System you do not hold any card info, only your payment gateway does
What are SHA-2 and What is TLS 1.2?
Does MemberGate support them?
These are the upcoming minimum security standards being adopted by all Internet Service Providers.
SHA-2 comes into force on Jan1st 2017
TLS is a newer and more advanced secure protocol and replaces SSL, increasing secure communications and protecting client data when processing transactions.
TLS standards must be adopted by June30th 2018
MemberGate is already set to work with these protocols
SHA-2 comes into force on Jan
TLS is a newer and more advanced secure protocol and replaces SSL, increasing secure communications and protecting client data when processing transactions.
TLS standards must be adopted by June
MemberGate is already set to work with these protocols
Can I take Phone Orders?
Yes, as long as you have appropriate systems
By taking orders in any other way - over the phone, fax, at a show, in a storeetc etc - you will be expected to have systems to protect, store and destroy the data
Each different method will require a different system and to be able to take payments online you must also pass the tests for other payment methods
By taking orders in any other way - over the phone, fax, at a show, in a store
Each different method will require a different system and to be able to take payments online you must also pass the tests for other payment methods
Is there an 'easy' way to pass the compliance test?
Yes, if you choose to only use your MemberGate site for card transactions
MemberGate Infinity support 'Token' payments - so no card details are stored. Ever.
They are encrypted and sent to the Payment Processor
Therefore, your site can pass quickly and easily and you Payment Processor provides all the data management resources
MemberGate Infinity support 'Token' payments - so no card details are stored. Ever.
They are encrypted and sent to the Payment Processor
Therefore, your site can pass quickly and easily and you Payment Processor provides all the data management resources
Which Payment Processors Do MemberGate Support?
Stripe
SagePay
Authorize.Net
PayflowPro
SagePay
Authorize.Net
PayflowPro
Further Information Here: Download this PCI Guidance Report
