What is PCIDSS?
PCIDSS stands for Payment Card Industry Data Security Standard
It is the security scheme introduced by the credit card issuers - Amex, Visa, MasterCard etc etc
The scheme was created to rebuild the trust between purchasers, card brands and vendors
The scheme will ensure all merchants protect the data they are given during and after a transaction
The scheme is aligned with other consumer data protections and ensures credit card information is secured
What is the "Annual Compliance Scan"?
The scan is an annual check of vendors to make sure they are complying with card data standards.
Typically a senior executive must answer a series of questions covering online and offline management of cardholder data. You must pass this assessment to be able to take card payments.
Who does it affect?
Anyone who takes a credit card payment.
All traders who take credit card payments are affected.
There are different expectations and requirements for vendors covering every transaction type including shops, stores, cafes, restaurants, gas stations, exhibitors, trade shows, telephone orders, online carts etc etc.
From the smallest one-person business to the largest global multi-nationals.
Every trader, dealer, merchant, retailer, wholesaler, manufacturer and business that takes card payment must secure and protect the data they receive to process a credit card transaction
Will it affect my MemberGate site?
Yes, if you already have or intend to have paying subscribers. All web-sites taking card payment must comply with PCIDSS - including membership and subscription sites
Why should I care?
You could be put out of business.
There are a series of penalties for not paying due care and attention to the collection, storage and security of the data used in a credit card transaction.
Fines and penalties can be applied for each instance of failure
Credit card facilities can be placed on hold or even removed
I've just got my annual PCIDSS Check-up. What do I have to do?
Your merchant provider or payment gateway will expect you to pass an annual PCIDSS check.
Depending on who they have licensed to run these checks the questions may be different - but the objective is the same.
You will be expected to know how you capture, process, store and destroy the data you acquire for every card transaction.
The more ways you take payment, the more systems you must have in place to manage and protect the data.
How are MemberGate helping? What are tokens?
We have already rolled out a major update to ensure MemberGate Infinity meets the current standard.
MemberGate Infinity does not store the card details but uses a 'Token' provided by the Payment Gateway.
The Payment Gateways must provide the highest level of data security, any sites using their Token Systems, are covered by the Payment Gateway.
This means MemberGate sites can pass the PCIDSS checks at the simplest level as no card data is stored on the MemberGate site or server.
Why can't the MemberGate team complete my form?
We can't complete the forms on your behalf.
Most of the questions are about the different ways you take card payment and how you handle the data you collect.
Only you can answer these questions about your business practices and systems.
We can tell you that using the Token System you do not hold any card info, only your payment gateway does.
What are SHA-2 and What is TLS 1.2? Does MemberGate Support Them?
These are the upcoming minimum security standards being adopted by all Internet Service Providers.
SHA-2 comes into force on Jan 1st 2017.
TLS is a newer and more advanced secure protocol and replaces SSL, increasing secure communications and protecting client data when processing transactionsv
TLS standards must be adopted by June 30th 2018.
MemberGate is already set to work with these protocols.
Can I take Phone Orders?
Yes, as long as you have appropriate systems.
By taking orders in any other way - over the phone, fax, at a show, in a store etc etc - you will be expected to have systems to protect, store and destroy the data.
Each different method will require a different system and to be able to take payments online you must also pass the tests for other payment methods.
Is there an 'easy' way to pass the compliance test?
Yes, if you choose to only use your MemberGate site for card transactions.
MemberGate Infinity support 'Token' payments - so no card details are stored. Ever.
They are encrypted and sent to the Payment Processor.
Therefore, your site can pass quickly and easily and you Payment Processor provides all the data management resources.
Which Payment Processors Do MemberGate Support?
- Stripe
- Authorize.Net
- Braintree
Further Information Here: Download this PCI Guidance Report
