What is PCI Compliance? How do I get PCI Compliant?
Jump to: What is PCI Compliance?
Jump to: How do I get PCI Compliant?



What is PCI Compliance?

Security of personal data is a growing concern, with press coverage increasing on the subject.

Criminals are always looking at ways of getting this type of information from different sources, and a vulnerable point of compromise which fraudsters have identified is card financial data which has been collected during the acceptance of cards.

The Payment Card Industry Data Security Standard (PCI DSS) is a global mandated standard which has been introduced by Visa, MasterCard, Amex, JCB, Diners Club and Discovery (hereinafter referred to as the "card schemes") to bring a greater level of security to this type of data. PCI DSS covers areas such as:
  • Security management
  • Security policies
  • Procedures
  • System network architecture
  • Software design
This comprehensive standard is intended to help organisations proactively protect customer account data.

PCI DSS is not completely new. It is based on existing 'International Organisation for Standardisation (ISO)' standards and industry best practices, and is a common sense approach to security. It should not be viewed purely as a card requirement but as a general way of doing business. A good maxim to follow is 'treat card data as you would cash', this includes:
  • store card data securely
  • limit access (from both internal and external sources) to the data
  • update and maintain any security you may have in place on a regular basis
  • have a policy which you can share with your employees on the security process in place
PCI DSS has been adopted by all the major card schemes as the industry standard.

However, the individual card schemes have their own programmes entitled:
  • MasterCard - Site Data Protection (SDP)
  • Visa - Account Information Security (AIS)
CommerceXchange are fully PCI DSS Compliant. Please find link below to be PCI DSS Compliance certificate:
https://secure.clic2pay.com/



How do I get PCI Compliant?

There are two scenarios that can apply:
  1. I am using a webstore but I don't use a 3rd party online transaction processor for credit card transactions, I download the orders an manually transact them using a PDQ machine in my office
  2. I am using a webstore and a 3rd party online transaction processor (SagePay, Realex)
  1. Manual transaction

    In this case there are two stages to the PCI compliance as the credit card details are handled in two places:
    1. On the CommerceXchange webstore system;
    2. In your premises by your staff to manually transact the order.

    Stage 1 - The CommerceXchange system is verified as PCI compliant and a copy of our compliance certificate can be downloaded at https://secure.clic2pay.com/ and forwarded to whoever is conducting your compliance audit (your bank or their 3rd party agents)

    Stage 2 - In most cases whoever is conducting yor compliance audit will send you a questionnaire to complete about they way you and your staff handle and dispose of the credit card details once they are in your possession.
  2. Automated transaction

    Both CommerceXchange and its online transaction partners are PCI compliant.

    A copy of our compliance certificate can be downloaded at https://secure.clic2pay.com/ and forwarded to whoever is conducting your compliance audit (your bank or their 3rd party agents)

    Copies of our online transaction partners compliance certificates can be found on the relevant partners website.