Improving Payment Card Security and PCI DSS Compliance
PCI, the Payment Card Industry (a forum including American Express, JCB, MasterCard and Visa) sets very high standards for data security for anyone handling details of customer's credit and debit cards through their Data Security Standard, DSS.
The security requirements laid out within PCI DSS only get more stringent with each new release of PCI DSS. Fines and penalties for non-compliance are punitive aside from the reputational damage resulting from a data loss. Fines for a data breach usually run into tens of thousands of pounds. If you are suspected of having a data breach (by being a "Common Point of Purchase" or CPP) you will be required to engage with a PCI Forensic Investigator and the cost of this investigation may also run into thousands of pounds.
"PCI DSS only applies to my computer system"
No, PCI DSS is not just about your IT infrastructure. It covers your entire business process, right down to laying down recommendations and stipulations on the background security checks that you are expected to carry out when employing staff who will come into contact with payment cards.
"PCI DSS doesn't apply if I don't store card details"
No, PCI DSS refers throughout to transmitting card data as well as storing it. This means if you only type a customer's card details into software, even just a web browser, then that computer, the entire network it is attached to, and the member of staff doing it, all fall within the scope of PCI DSS.
"I subscribe to quarterly Penetration Testing so I'm PCI Compliant"
No, Penetration Testing (whereby software attempts to 'hack' into your systems via the Internet) may check that your network and servers are secure from outside attack. There are many other requirements that are not tested by external Penetration Tests, such as ensuring that your WiFi is secure, all software and anti-virus software is correctly configured and updated and that you maintain full access logs.
"There is no alternative to expensive and onerous PCI Compliance"
Fortunately, for most small and medium-sized businesses, there is!
The alternative is to take your systems "out of scope". If you, your staff and your IT infrastructure never come into contact with card details at all, then PCI DSS may not apply to those systems.
Traditionally, this has always been the easiest aspect of your business to take out of scope. Every axis vMerchant website built by axisfirst, for example, will use hosted payment pages provided by your Payment Service Provider (PSP), usually SagePay or Pay360. Your customer enters their card details into a form that is actually running on the PSP's server not yours so the card details never pass through your web server. The PSP then provides a unique transaction reference to allow you to take payment without knowing the card details.
Until now, taking card payments from customers on the 'phone has inevitably meant that large parts of your business fall within the scope of PCI DSS. A number of new modules available for axis diplomat 2016 now make it possible to take card payments without coming into contact with the card details themselves.
The axis diplomat 2016 Aeriandi / SagePay Interface uses a third party solution that captures card details from the phone call whilst masking them from your staff. These details are then passed to SagePay and a unique transaction ID is then imported into axis diplomat in the same way as for a website transaction. This is the recommended solution for those with VoIP or call recording phone systems.
axis diplomat 2016 SagePay Tokens uses an optional bolt-on service from SagePay to allow customers to store their card details via your website for future use. The card details are stored by SagePay so do not affect your PCI compliance. Those tokens are available when they make subsequent purchases on your website but also available to telesales staff to take payment within axis diplomat - either for an order or for payments on account.
The axis diplomat 2016 Online Payments module allows you to send an email when filing a sales order, with a link to an online payment form and also has a Pro Forma Invoice attached. If the customer uses this mechanism once then, when used in conjunction with the SagePay Tokens module described above, subsequent orders can be paid using the stored card.
For situations where you still need to take card details over the phone, you can use the axis diplomat 2016 SagePay Terminal Payments module to enter card details into SagePay's online website portal ("MySagePay"). In order to keep your network out of scope, one suggestion is to do this via an iPad or similar tablet running over the 3G/4G mobile network rather than using your company WiFi. Those payment details are then imported automatically into axis diplomat and matched to the appropriate sales order.
For more information on these modules, please visit:
For further information on Aeriandi's solution, please visit:
To find out more about card payment options for axis diplomat 2016 please call us or use this contact form:
DISCLAIMER axisfirst is not a Qualified Security Assessor (QSA) and the information provided above is purely based on our interpretation of the PCI DSS stipulations. If you are in any doubt, we strongly recommend that you consult with a QSA. A number of QSAs can be found via the Internet or your bank may be able to help you further.