About PCI DSS

What is the Payment Card Industry Data Security Standard (PCI DSS)?

PCI DSS was developed by Visa and MasterCard in response to credit card fraud and identity theft to standardise the security surrounding card payments. The aim of the standard is to improve consumer confidence and to ensure that all merchants who process credit card transactions are meeting the required security standards. The standard is also endorsed by Discover Network, American Express and JCB.

PCI consists of the following requirements:

• To build and maintain a secure network
• To protect cardholder data
• To maintain a vulnerability management programme
• To implement strong access control measures
• To regularly monitor and test networks
• To maintain an Information Security Policy

How does PCI DSS affect Protx merchants?

All companies that accept card data must ensure that they are PCI DSS compliant.

If you use the Protx payment pages to process your transactions (through our VSP Form, VSP Server or VSP Terminal solutions), we handle the entire transaction process for you. This greatly reduces the scope for your PCI DSS compliance validation because no cardholder data or details are being processed, transmitted or stored on your website.

If you use your own payment pages and collect credit card details on your website before passing them across to Protx (through our VSP Direct solution), you will need to make sure that your own systems are PCI DSS compliant. This is because card details are being entered on your own site rather than on the Protx payment pages, and you need to ensure the site is secure. This may mean that you need to make an investment in your infrastructure.

What do I need to do?

You can either find your own Visa approved assessor, or you can work with our preferred data security partner, Trustwave. We are working with Trustwave to make it easier and more cost effective to achieve compliance. Please click here for more information.

VSP Direct merchants may need to invest in their infrastructure to make sure that their systems are secure and meet PCI DSS standards. If you are concerned about the cost of compliance, you can greatly reduce your exposure by using either VSP Form, VSP Server or VSP Terminal to process your payments. With these systems, the card information is entered onto payment pages hosted by Protx, which reduces the scope of your own PCI DSS validation.

The level of compliance you need to achieve will depend on the volume of transactions you are processing (see the table below):

Different Levels of PCI

What happens if I do not comply?

It is now more important than ever that you ensure and maintain tighter security around operations and the processing, storing and transmitting of credit card data to prevent:

• Fraud Losses
• Harm to your business
• Card Re-issuance Costs (Costs passed to the merchant)
• Cardholder Inconvenience
• Loss of Consumer Confidence
• Adverse Publicity – Brand & Reputation Damage
• Legislative Interest – Threat of Governmental Regulation

The card schemes created the PCI DSS for the sole purpose of preventing payment card compromises. A payment card compromise can devastate a merchant, their customers, and the payment card schemes. The card schemes have developed penalties for non-compliance to emphasise that the costs of a payment card breach far outweigh those of compliance.

If there is a security breach from within your organisation and you are unable to demonstrate compliance with PCI DSS you may therefore be liable for any losses that arise. This could mean a substantial fine imposed by the card schemes, or a ban on accepting cards altogether.

---

back to top