PCI 3.00 Changes
It's happening, on January 1st the new PCI regulations will be effective. If you store, transmit or process credit cards in your shop you are – according to the credit card companys' (VISA, Master Card etc.) regulations - obligated to comply to the new standards.
What is PCI-DSS?
PCI-DSS is short for Payment Card Industry Data Security Standard. The PCI standard was first introduced in December 2004. The main goal was to provide a new security level to protect card data by providing a minimal security standard.
The implementation of the PCI-DSS standards is not demanded by the PCI-DSS Council itself, it follows from the Payment Scheme regulations. Hence the regulations of each brand you offer in your shop have to be kept in mind. The regulations for Master Card, for example, can be found here: http://www.mastercard.com/us/company/en/whatwedo/determine_merchant.html. The acquiring bank is responsible for implementing and supervising the compliance to the regulations. If you do not know your acquiring bank, your Payment Service Provider will be able to assist you.
Put briefly, it is important to note that PCI – contrary to a lot of widely believed myths – are not only relevant for large scale merchants. As soon as your activities include processing, storing or transmitting credit card data, PCI is relevant for you. However, most merchants only transmit data. For these cases, a simplified procedure is provided in the PCI regulations, the so called Self-Assessment. In the old PCI standard it was comprised of 12 questions and applied if you transmitted but did not store credit card data. In these cases the Payment Service Provider dealt with processing and storing the data. Thus you profited from the Payment Service Provider's certification.
As a merchant, you should take PCI seriously. Not being PCI compliant does not only mean risking damages to your reputation in case of credit card theft but also fines ranging from 5'000 to up to 50'000 CHF. In addition, you would lose the right to process credit cards in the future.
If you process credit card data, you probably filled out this questionnaire already and you are still PCI compliant until your Level 4 (SAQ) certification expires.
What changes with V. 3.00?
The introduction of PCI V. 3.00 in January includes numerous changes in the way you are allowed to process credit cards. The system described above does not change fundamentally but there is one important adjustment to the Self-Assessment questionnaire.
In addition to the SAQ-A for merchants who only transmit credit card data, SAQ A-EP is introduced. SAQ A-EP applies whenever you fulfill the following criteria:
„SAQ A-EP has been developed to address requirements applicable to e-commerce merchants with a website(s) that does not itself receive cardholder data but which does affect the security of the payment transaction and/or the integrity of the page that accepts the consumer’s cardholder data.
SAQ A-EP merchants are e-commerce merchants who partially outsource their e-commerce payment channel to PCI DSS validated third parties and do not electronically store, process, or transmit any cardholder data on their systems or premises.“ ( Seite III, Self-Assessment Questionnaire A-EP and Attestation of Compliance, zu finden unter: https://www.pcisecuritystandards.org/merchants/index.php).”
Hence the new extended Self-Asssessment applies to you if you currently receive credit card data on your site (via Alias Gateway or Hidden Mode) or if an entry form for credit card data is integrated into your homepage. The questionnaire consists of far more than 12 questions and addresses various security regulations which cannot be fulfilled through a standard hosting. As a consequence, options such as Hidden Mode underly strict rules and cannot be used by merchants as easily. For example, a SAQ-A merchant can only process cards through iFrame or by redirection to the payment page of the Payment Service Provider under the new regulations.
What do you have to do?
The regulations explained above are only acutely relevant to you if you register as a new merchant for credit card data processing after the 1st of January. In this case, the PCI 3.00 requirements are binding immediately. If you already process credit cards you have time until your PCI Level 4 certificate (i.e. a completed SAQ-A Questionnaire) expires.
If you are using a sellXed module you are fully prepared for the change. We equipped our modules according to the new standards so they include Iframe Authorisation and Payment Page redirection. All you need to do is simply change the authorisation mode in your module. With one click you can switch from Hidden Authorisation to Payment Page or IFrame.
If you have any further questions our support team will be glad to answer them. You can contact us here: www.sellxed.com/support