The Payment Card Industry(PCI) Data Security Standard (PCI DSS) is a complex set of rules and requirements that applies to every person, business or organisation that handles credit card data. This includes any person, business or organisation that receives, stores, processes or transmits credit card details.
The PCI DSS is a product of the Payment Card Industry Security Standards Council, an organisation founded by participating payment brands Visa International, Master Card, American Express, Diners Club and JCB.
The purpose of the Payment Card Industry Security Standards Council is to establish a uniform world wide standard to aggressively addresses vulnerability and risk associated with the handling of credit card data across all industries.
The official definition of who and what is now required to have PCI DSS compliance is:
“PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If a PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply“. From www.pcisecuritystandards.org
Therefore, if your website touches the PAN (Primary Account Number) which is usually the 16 digit credit card number itself in any way, even if it is only to transmit it directly to a ‘real time’ payment gateway, or perhaps to store it in some way, then your online business (website) must be PCI DSS compliant certified in its own right.
PCI Compliance is not a request, or suggestion, it is now a requirement and is enforceable.
Any person, business or organisation that processes Credit card information but is found not to be compliant with PCI DSS, risks not being allowed to handle card holder data and possible heavy fines and penalties which could be levied on a monthly basis.
Thinking of accepting credit cards online?
If you have a website that is, or is about to ask for credit card details to be entered into it for processing by a ‘real time’ payment gateway, or if you are planning to capture or store credit card data online in some way yourself, then please visit PCI Security Standards Council – Supporting documentation to learn about what you will need to become PCI DSS compliant.
Your website is (or will be) processing, transmitting or storing credit card data therefore even if you only do, say, a few transactions per month you are in the Level 4 classification (see above) and therefore your website will be required to have its own PCI DSS compliance to avoid your exposure to the possibility of penalties, which can be severe. Please feel free to have this confirmed directly by Visa Asia Pacific and/or MasterCard, they both have main offices in Sydney.
Why JBEHosting.net is an excellent solution
When you use JBEHosting as your payment gateway provider your website will not be touching credit card data or have anything to do with receiving or transmitting credit card data in any way. Your secure PCI DSS compliant e-Path gateway is the system handling them and their credit card data.
Therefore, your own website does not fall under any of the above classification levels. This means you do not have to go to the expense of hiring a professional service to conduct regular vulnerability scanning processes on your website, its dedicated IP, the server it is hosted on and the network the server is connected to.
PCI Self-Assessment Questionnaire (SAQ)
However, your business will still be accepting card not present credit card payments and these payments are being processed by your merchant account/interface facility of your bank. Therefore those facilities your bank is providing you MUST be PCI compliant and you need to be handling card data in accordance with the PCI rules as they apply to your specific circumstance, which you declare by completing a PCI Self-Assessment Questionnaire, otherwise known as just ‘SAQ’.
There are five different levels of SAQ’s. What particular SAQ applies to your organisation is something your bank (your merchant account provider) may advise you on.
Contact JBE Hosting for more information using the contact form