PCI Security Standards

Security & PCI

CISP compliance (Credit Card Scheme Compliance) is required of all service providers that store, process, or transmit cardholder data. The program applies to all payment channels, including retail (brick-and-mortar), mail/telephone order, and e-commerce. Compliance with CISP means compliance with the PCI Data Security Standard with the required program validation. The Payment Card Industry (PCI) Data Security Standard offers a single approach to safeguarding sensitive data for all card brands. Other card companies operating in the U.S. have also endorsed the PCI Data Security Standard within their respective programs.

Using the PCI Data Security Standard as its framework, CISP provides the tools and measurements needed to protect against cardholder data exposure and compromise. The PCI Data Security Standard consists of twelve basic requirements and corresponding sub-requirements but these can be summarised as follows:

Building and Maintaining Secure networks
Protecting sensitive data,
Maintaining a vulnerability program by developing and maintaining secure systems and applications,
Implementing and managing strong access controls,
Regular monitoring and testing, and;
maintaining information security policies.

Perpetual Payments (via Voice Commerce Group) is PCI Level 1 certified and its payment services are available globally in multiple currencies to support multiple payment types. Businesses are normally enabled to start accepting payment from their customers via Perpetual Payments on the day they apply. Due to the way our system works Merchants are saved the time and effort of complying with PCI in their own right without breaching Visa and MasterCard's mandatory enforcement of the Payment Card Industry Data Security. For completeness however we have outlined the full requirements below:

Why must businesses meet the PCI standards?

PCI Standards must be met by all businesses that take credit/debit or paycards from the top four major card industry providers: American Express, Discover, MasterCard and Visa. PCI Compliance Standards are not laws - they are contractual obligations with the credit card companies. Credit card companies may enforce the terms of their contracts by imposing Card Scheme Fee Assessments and/or sanctions against companies who do no comply with the standards for each credit card company.

What happens if my business does not become PCI compliant?

PCI Compliance is a requirement of your contract with the credit card companies. If you do not make your business PCI compliant, you are in violation of your contract. The credit card companies can take the following actions if your business does not abide by the security standards.

Visa may charge your business up to $500,000 per incident if your network and the information of consumers is compromised.
You may be banned from allowing your customers to use credit cards issued by the company that finds your business non-compliant.
If you do not notify the companies of probable or actual violations or thefts of our customers' information, you will also be assessed a Card Scheme Fee Assessment. Again, Visa can charge you as much as $100,000 per incident.
Other Card Scheme Fee Assessments may be charged if the credit card company feels that your company's violations pose a risk to the credit card company and/or its members.

Why is PCI compliance important to businesses?

The PCI Compliance regulations were created to protect businesses and individuals. All parties benefit from abiding by the regulations, and companies not complying will face stiff penalties, which will include Card Scheme Fee Assessments and loss of business.

Businesses accepting credit or debit cards or issuing payroll cards to employees owe it to themselves and their customers to protect the sensitive data contained in credit/debit card and payroll data

PCI Compliance is important to businesses issuing paycards because a business' employees are the lifeblood of every organization. If employees' paycards are not protected through PCI Compliance standards, the employees stand to lose the money they have earned. If this happens, they open themselves up to many lawsuits by disgruntled employees.

PCI Compliance is critical for businesses because companies need to protect their Bank accounts, the most liquid assets in any organization. Building and maintaining a safe and secure network provides protection against identity theft, one of the fastest growing crimes. These measures protect a companies' most valuable resource, the employees.

Here are some other reasons why PCI compliance is important for businesses

Consumers have increased confidence in the paycard industry.
Abiding by the regulations minimizes risk and maximizes protection.
Merchants' reputations are protected.
Businesses gain a competitive edge.
Companies enjoy increased revenue and improved bottom lines.
Organizations maintain a positive image.
Customers are protected.
Information is shielded from intrusions by unwanted hackers and other industry thieves.

Merchant PCI Levels

Merchant Level*	Description
1	Any Merchant-regardless of acceptance channel-processing over 6,000,000 Visa transactions per year. Any Merchant that has suffered a hack or an attack that resulted in an account data compromise. Any Merchant that Visa, at its sole discretion, determines should meet the Level 1 Merchant requirements to minimize risk to the Visa system. Any Merchant identified by any other payment card brand as Level 1.
2	Any Merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year.
3	Any Merchant processing 20,000 to 1,000,000 Visa internet or mail-order transactions per year.
4*	Any Merchant processing fewer than 20,000 Visa internet or mail-order transactions per year, and all other Merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year.
*New Merchant level definitions effective of July 18, 2006.

Compliance validation basics

In addition to adhering to the PCI Data Security Standard, compliance validation is required for Level 1, Level 2, and Level 3 Merchants, and may be required for Level 4 Merchants.

Level	Validation Action	Validated By
1	Annual on-site PCI data security assessment Quarterly network scan	Qualified security assessor or internal audit if signed by Officer of the company Approved scanning vendor
2	Annual PCI self-assessment questionnaire Quarterly network scan	Merchant Approved scanning vendor
3	Annual PCI self-assessment questionnaire Quarterly network scan	Merchant Approved scanning vendor
4*	Annual PCI self-assessment questionnaire Quarterly network scan	Merchant Approved scanning vendor
* The PCI DDS requires that all Merchants perform external network scanning to achieve compliance. Acquirers may require submission of scan reports and/or questionnaires by level 4 Merchants. Validation requirements and dates are determined by the Merchant's Acquirer.

The PCI Self-Assessment Questionnaire is available for download on the Visa CISP Website or MasterCard SDP Website. If a Merchant chooses to enrol with one of the association approved security assessors to perform the system perimeter scan, they may complete the approved assessor's Compliance Questionnaire in lieu of the version posted on Visa's CISP Web site.

Perpetual Payments Limited is part of the Voice Commerce Group. | Voice Commerce Limited (company number 5428358) is authorised by the Financial Services Authority under the Payment Service Regulations 2009 (register reference 504312) for the provision of payment services and holds a consumer credit licence (number 624404/1). VoicePay Limited (company number 5042556) has been issued with a small e-money issuers certificate and is regulated for the provision of payment services by the Financial Services Authority. Voice Commerce Group is registered as an ISO/MSP under Visa & MasterCard rules.