What is PCI DSS?
PCI DSS
stands for Payment Card Industry Data Security Standard. It is a set of security
controls that merchants; payment service providers and acquiring banks
(collectively known as “entities”) need to follow. It was created in 2004 by
MasterCard; VISA; American Express; Discover and JCB to simplify security
accreditation.
What is a merchant?
A retail
merchant or retailer; sells commodities to consumers (including businesses). A
Merchant is a retail merchant. In this environment, all Merchants are considered
merchants and need to comply with PCI DSS.
What are the other entities concerned with PCI DSS
within the Accor Environment?
Acquiring
banks: These are the banks that handle credit card transactions on behalf of
merchants.
What is the relationship between PCI DSS entities:
merchants; payment service providers and acquiring banks?
A merchant
(Hotel) will take payments from customers by accepting credit card payments.
Payments are processed using a payment service provider who then pass the
payment data onto the acquiring bank for authorization and settlement.
Why do I need to comply with PCI DSS?
PCI DSS
applies to all entities who either process; store or transmit card holder data.
As such all Merchants fall into the merchant category and need to comply.
What level merchant am I?
There are
different merchant levels labelled as Level 1; Level 2; Level 3 and Level 4.
Merchant levels are determined by the way payment is taken (e.g. using a Point
of Sale Device to take the payment or using a terminal at the Merchant) and by
the volume of transactions processed every year.
What do I need to do to become compliant?
You must be
able to validate compliance with all controls of PCI DSS. You are required to
submit a duly completed SAQ to your acquiring bank.
How do I report my compliance and to whom?
Compliance validation
is reported by submitting a duly completed SAQ to the Merchant’s acquiring
bank. The compliance portal allows all Merchants to produce the report which
they must then to their acquiring bank.
What happens if I am not compliant?
Card brands
such as MasterCard; VISA; American Express; Discover and JCB may decide not to
accept payment from your organization. Your acquiring bank may decide that they
no longer wish to accept processing payments from you. Fines may be levied by
the acquiring bank and/or brands. If you are not compliant and are a victim of
a breach such as a data compromise at your Merchant (where it can be proven
that credit card holder data which should have been protected following the
controls of PCI DSS has leaked out or been compromised); law suits and class
action may be started against your organization.
How long does compliance validation take?
This varies
with each of the elements of the portal.
a)
Typically it takes less than 40 minutes per staff member to complete the
eLearning Course.
b) It
should take less 2 hours to download template policies and procedures.
c)
Scheduling a scan is done within minutes however the scan itself may take
several hours to complete. Results are available on the portal once the scan is
performed. Please note that if the scan is failed you will need to allow time
to take corrective action.
d) Self-
Assessment Questionnaire (SAQ) : there are four types of SAQs which vary in
length and therefore completion time will vary. If your Merchant is in a
position to answer “Yes” to all questions; then 15 minutes should suffice. If
you can’t answer yes to all questions you may need to allocate time to take
corrective action internally and/or may need mail info@vigitrust.com.
Compliance
is a continuous process and validation of compliance with PCI DSS for Merchants
must be done on an annual basis. Merchants should allocate appropriate time to
complete same.
How does the HCP help me to be compliant?
The HCP
simplifies and centralizes the compliance process for you. Using the HCP you
get access to four key features required to validate compliance:
eLearning: Educate all in-scope staff as to what PCI DSS
is and how to protect card holder data and confidential information;
Policies
and Procedures: The HCP
enables Merchants to download and assign a status to security policies (i.e. in
place/not in place) All documents follow the same template and are already
branded . There may be customization work required for non-standard set-ups;
IP
Scanning: This module allows Merchants
to perform required annual external annual scans of their payment environment.
It also allows Merchants to perform on-demand scans at their discretion;
SAQ
functionality: The HCP has
in-built versions of all SAQs and guides Merchants to the SAQ they need to
complete by asking them key questions about how they take credit card payments.
Franchisees can complete the SAQs online and print out and/or mail the
completed documents.
How long is compliance valid for?
Once
validated by the acquiring bank; compliance is valid for 12 months.