Improving Payment Card Security and PCI DSS Compliance

Introduction

PCI, the Payment Card Industry (a forum including American Express, JCB, MasterCard and Visa) sets very high standards for data security for anyone handling details of customer's credit and debit cards through their Data Security Standard, DSS.

The security requirements laid out within PCI DSS only get more stringent with each new release of PCI DSS. Fines and penalties for non-compliance are punitive aside from the reputational damage resulting from a data loss. Fines for a data breach usually run into tens of thousands of pounds. If you are suspected of having a data breach (by being a "Common Point of Purchase" or CPP) you will be required to engage with a PCI Forensic Investigator and the cost of this investigation may also run into thousands of pounds.

Common misconceptions regarding PCI DSS

"PCI DSS only applies to my computer system"

No, PCI DSS is not just about your IT infrastructure. It covers your entire business process, right down to laying down recommendations and stipulations on the background security checks that you are expected to carry out when employing staff who will come into contact with payment cards.

"PCI DSS doesn't apply if I don't store card details"

No, PCI DSS refers throughout to transmitting card data as well as storing it. This means if you only type a customer's card details into software, even just a web browser, then that computer, the entire network it is attached to, and the member of staff doing it, all fall within the scope of PCI DSS.

"I subscribe to quarterly Penetration Testing so I'm PCI Compliant"

No, Penetration Testing (whereby software attempts to 'hack' into your systems via the Internet) may check that your network and servers are secure from outside attack. There are many other requirements that are not tested by external Penetration Tests, such as ensuring that your WiFi is secure, all software and anti-virus software is correctly configured and updated and that you maintain full access logs.

"There is no alternative to expensive and onerous PCI Compliance"

Fortunately, for most small and medium-sized businesses, there is!

The alternative is to take your systems "out of scope". If you, your staff and your IT infrastructure never come into contact with card details at all, then PCI DSS may not apply to those systems.

Taking Systems Out of Scope

Websites

Traditionally, this has always been the easiest aspect of your business to take out of scope. Every axis vMerchant website built by axisfirst, for example, will use hosted payment pages provided by your Payment Service Provider (PSP), usually SagePay or Pay360. Your customer enters their card details into a form that is actually running on the PSP's server not yours so the card details never pass through your web server. The PSP then provides a unique transaction reference to allow you to take payment without knowing the card details.

Telephone Payments

Until now, taking card payments from customers on the 'phone has inevitably meant that large parts of your business fall within the scope of PCI DSS. A number of new modules available for axis diplomat 2018 now make it possible to take card payments without coming into contact with the card details themselves.

The axis diplomat 2018 Aeriandi / SagePay Interface uses a third party solution that captures card details from the phone call whilst masking them from your staff. These details are then passed to SagePay and a unique transaction ID is then imported into axis diplomat in the same way as for a website transaction. This is the recommended solution for those with VoIP or call recording phone systems.

axis diplomat 2018 SagePay Tokens uses an optional bolt-on service from SagePay to allow customers to store their card details via your website for future use. The card details are stored by SagePay so do not affect your PCI compliance. Those tokens are available when they make subsequent purchases on your website but also available to telesales staff to take payment within axis diplomat - either for an order or for payments on account.

The axis diplomat 2018 Online Payments module allows you to send an email when filing a sales order, with a link to an online payment form and also has a Pro Forma Invoice attached. If the customer uses this mechanism once then, when used in conjunction with the SagePay Tokens module described above, subsequent orders can be paid using the stored card.

For situations where you still need to take card details over the phone, you can use the axis diplomat 2018 SagePay Terminal Payments module to enter card details into SagePay's online website portal ("MySagePay"). In order to keep your network out of scope, one suggestion is to do this via an iPad or similar tablet running over the 3G/4G mobile network rather than using your company WiFi. Those payment details are then imported automatically into axis diplomat and matched to the appropriate sales order.

Further Information

For more information on these modules, please visit:
https://www.axisfirst.co.uk/software/axisdiplomat/modules/Payment-Card-Security/16717

For further information on Aeriandi's solution, please visit:
https://www.aeriandi.com/services/pci-phone-payments/

 

To find out more about card payment options for axis diplomat 2018 please call us or use this contact form:


DISCLAIMER axisfirst is not a Qualified Security Assessor (QSA) and the information provided above is purely based on our interpretation of the PCI DSS stipulations. If you are in any doubt, we strongly recommend that you consult with a QSA. A number of QSAs can be found via the Internet or your bank may be able to help you further.

Call Back
This site uses cookies. By continuing to access this site you are accepting the use of cookies by this site.
Read more about cookies...
OK

Cookies are small text files stored on your device when you access most websites on the internet.

This Website uses cookies in order to make the Website easier to use, to support the provision of information and functionality to you, as well as to provide us with information about how the Website is used so that we can make sure it is as up to date, relevant and error free as far as we can. Further information about the types of cookies that are used on this Website is set out in the box below.

By using this Website you agree to our use of cookies. You can choose to restrict or block cookies set on the Website through your browser settings at any time. For more information about how to do this, and about cookies in general, you can visit www.allaboutcookies.org. Please note that certain cookies may be set as soon as you visit the Website, but you can remove them using your browser settings.

However, please be aware that restricting or blocking cookies set on the Website may impact the functionality or performance of the Website, or prevent you from using certain services provided through the Website. It will also affect our ability to update the Website to cater for user preferences and improve performance.

We don’t sell the information collected by cookies, nor do we disclose the information to third parties, except where required by law (for example to law enforcement agencies).

We may sometimes embed content from 3rd party websites such as YouTube. As a result, when you visit a page containing such content, you may be presented with cookies from these websites. We do not control the dissemination of these cookies and you should check the relevant third party's website for more information.

Cookies We Use

Cookie Description
CookieConfirm The presence of this cookie is used to remember the fact that you have confirmed that you are happy to accept cookies
ASPSESSIONIDxxxxxxxx This is a Session Cookie (session cookies are temporary and are erased when you close your browser). It identifies you from one page to the next and is used, for example, to keep track of your logged-in status.
UserID, account, password These cookies are used to remember your login credentials for when you next visit our website. They are only created if you choose the “Remember Me” option on the login page.
_utma, _utmb, _utmc, _utmz These are cookies created by Google Analytics and are used to provide us information on which web pages are the most popular, and the most popular search terms used by visitors arriving at our site.