If you have an Internet shop and accept one or more credit cards, then there is a good chance that you have been informed by the transaction processing party (acquirer) about the obligations regarding the so-called Payment Card Industry Data Security Standard (PCI/DSS).
Their communication provides more information about the how and why of PCI/DSS. It is clear in any case that you are obliged to comply with PCI/DSS. Maybe you still have questions about this letter or the actions you should take with regard to PCI/DSS. We will try to assist you with the information given here.In the following
In the following Questions & Answers, reference is often made to the acquirer (the transaction processing party, usually a bank). The acquirer is the party that ensures that the transactions made by you are processed (inter)nationally (the Cardholder is charged and you, as the accepting party, are paid, possibly via an intermediate party). Most Internet shops work by way of a Payment Service Provider (PSP). These PSPs must also meet the requirements of PCI/DSS.
In principle, if you are having your transactions fully settled through a PSP, it will be sufficient for you to fill out an annual Self-Assessment Questionnaire (SAQ). If you process credit card numbers on your web server (whether or not you save them), then you are required to complete the extended PCI questionnaire.
Who is your point of contact?
The international credit card organisations (Visa, MasterCard, American Express) impose the PCI Data Security Standard on the acquirers. The acquirers are responsible for its implementation. They are also the ones who determine, in applicable cases, what rules apply and how these are to be applied. In case of questions, it would therefore be best for you to contact them.
Questions & Answers
1. How can I check what “type” of merchant we are for PCI?
Is the domain name of your company or Internet shop mentioned in the URL bar of the page on which the credit card details are requested during the payment transaction? In that case, you will need to supply the information requested in Question 3.
2. What do I have to do if I have the entire transaction processed via a PSP?
In that case, it will be sufficient to complete the annual Self-Assessment Questionnaire TYPE A. Most acquirers have this document available via an online application, but you can also download it here: www.pcisecuritystandards.org/saq/index.shtml, choose AOC SAQ A \
3. What do I have to do if I process the transactions through our own website?
(1)You must first complete the Self-Assessment Questionnaire. Some acquirers are using separate Internet applications for this, but you can also download this form here: www.pcisecuritystandards.org/saq/index.shtml, choose AOC SAQ D - Merchants
(2) You also have to complete and submit the Attestation of Compliance Form Note: (1) and (2) are almost always provided in a single document!
(3) In addition, each quarter, but on the first occasion accompanied by the two aforementioned documents, you are also required to submit the report of a network security scan.
A number of certified suppliers (Approved Scanning Vendors) are designated for the implementation of these scans. Trust Guard is one of the world’s ASVs (Approved Scanning Vendors). From €167,= per annum they provide the tools for PCI scans. In Europe, this service is provided by Business to You BV.
4. Why are we required to fill in the questionnaire?
Because there is liability in the event of failure to correctly answer the questions. Your PSP or acquirer cannot and will not accept this responsibility. In addition, it is also not known what infrastructure you are using (web applications, hosting, etc.).
5. What if I need help in completing the answers on the SAQ form?
Obviously, Business to You can be your first port of call for support. However, it is always the acquirer who imposes the PCI certification upon you and we cannot always speak on behalf of the acquirer. For more detailed questions, we must therefore refer you to your acquirer. The acquirer is the party that ultimately processes your transactions.
Examples of acquirers are: PaySquare and EMS. For PaySquare, phone: 030 283 73 33, then choose option 3 For EMS, phone: 020 6600 595 (eCommerce Helpdesk)
6. What if I have questions about (some) terms used in the SAQ form?
In the following document, most of the terms are explained (in English): www.pcisecuritystandards.org/pdfs/pci_dss_glossary_v1-1.pdf
7. Which IP addresses need to be scanned?
The IP addresses that must be included in the scan: all “Internet-facing” (also called “Public facing” or “External facing”) IP addresses and/or domain names. It may be that companies have additional IP addresses through which no credit card details are sent. If this applies to you, then you can take this matter up with your acquirer. They will then help you determine which IP addresses and domain names must be included in the scan.
The basic rule: if in doubt, you should contact your acquirer (the party that processes the transactions, e.g. PaySquare, EMS, ATOS Worldline or B+S). Important: as a merchant, you are responsible and liable for resulting damages if an IP address and/or domain name is not included in the scan. If in doubt, contact your acquirer.