FAQ - Payment Card Industry Data Security Standard - PCI DSS

FAQ - Payment Card Industry Data Security Standard - PCI DSS

What is PCIDSS?

PCIDSS stands for Payment Card Industry Data Security Standard
It is the security scheme introduced by the credit card issuers   - Amex, Visa, MasterCard etc etc 
The scheme was created to rebuild the trust between purchasers, card brands and vendors
The scheme will ensure all merchants protect the data they are given during and after a transaction
The scheme is aligned with other consumer data protections and ensures credit card information is secured

What is the "Annual Compliance Scan"?

The scan is an annual check of vendors to make sure they are complying with card data standards
Typically a senior executive must answer a series of questions covering online and offline management of cardholder data
You must pass this assessment to be able to take card payments

Who does it affect?

Anyone who takes a credit card payment
All traders who take credit card payments are affected
There are different expectations and requirements for vendors covering every transaction type including shops, stores, cafes, restaurants, gas stations, exhibitors, trade shows, telephone orders, online carts etc etc
From the smallest one-person business to the largest global multi-nationals
Every trader, dealer, merchant, retailer, wholesaler, manufacturer and business that takes card payment must secure and protect the data they receive to process a credit card transaction

Will it affect my MemberGate site?

Yes, if you already have or intend to have paying subscribers
All web-sites taking card payment must comply with PCIDSS
Including membership and subscription sites

Why should I care?

You could be put out of business
There are a series of penalties for not paying due care and attention to the collection, storage and security of the data used in a credit card transaction
Fines and penalties can be applied for each instance of failure
Credit card facilities can be placed on hold or even removed

I've just got my annual PCIDSS Check-up.
What do I have to do?

Your merchant provider or payment gateway will expect you to pass an annual PCIDSS check
Depending on who they have licensed to run these checks the questions may be different - but the objective is the same
You will be expected to know how you capture, process, store and destroy the data you acquire for every card transaction
The more ways you take payment, the more systems you must have in place to manage and protect the data

How are MemberGate helping?
What are Tokens?

We have already rolled out a major update to ensure MemberGate Infinity meets the current standard
MemberGate Infinity does not store the card details but uses a 'Token' provided by the Payment Gateway
The Payment Gateways must provide the highest level of data security, any sites using their Token Systems, are covered by the Payment Gateway
This means MemberGate sites can pass the PCIDSS checks at the simplest level as no card data is stored on the MemberGate site or server

Why can't the MemberGate team complete my form?

We can't complete the forms on your behalf
Most of the questions are about the different ways you take card payment and how you handle the data you collect
Only you can answer these questions about your business practices and systems
We can tell you that using the Token System you do not hold any card info, only your payment gateway does

What are SHA-2 and What is TLS 1.2?
Does MemberGate support them? 

These are the upcoming minimum security standards being adopted by all Internet Service Providers.
SHA-2 comes into force on Jan 1st 2017
TLS is a newer and more advanced secure protocol and replaces SSL, increasing secure communications and protecting client data when processing transactions.
TLS standards must be adopted by June 30th 2018
MemberGate is already set to work with these protocols

Can I take Phone Orders?

Yes, as long as you have appropriate systems
By taking orders in any other way - over the phone, fax, at a show, in a store etc etc - you will be expected to have systems to protect, store and destroy the data
Each different method will require a different system and to be able to take payments online you must also pass the tests for other payment methods

Is there an 'easy' way to pass the compliance test?

Yes, if you choose to only use your MemberGate site for card transactions
MemberGate Infinity support 'Token' payments - so no card details are stored. Ever.
They are encrypted and sent to the Payment Processor
Therefore, your site can pass quickly and easily and you Payment Processor provides all the data management resources

Which Payment Processors Do MemberGate Support?

Stripe
SagePay
Authorize.Net
PayflowPro
Further Information Here: Download this PCI Guidance Report
PDF Guide