PCI DSS compliance: are you paying more than you need to?
What is PCI DSS compliance?
The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide mandate that was introduced to assist businesses with card payment processing security and to reduce fraudulent activity.
There are 12 data security requirements set out by the Security Standards Council that businesses must action in order to be considered PCI DSS compliant. These are displayed below:
Do I need to comply with the PCI DSS?
Any organisation that processes, stores, transmits or accepts cardholder data needs to comply with the PCI DSS. Even if you are using a third party to handle your PCI DSS activities, you’re still responsible for ensuring that all parties are compliant with the standard.
What are the penalties for not being compliant with the PCI DSS?
Ensuring that you are PCI DSS compliant is essential if you are trying to avoid paying the monthly non-compliance fee. If you are failing to meet the PCI DSS standard, you are likely to have been paying minimally £600 per year. This yearly figure is set to increase to a minimum of £900 in the year following July 2019. The non-compliance fee is increasing to £75 per month rather than the previous £50 charge and it’s possible that the charges will be more than this due to factors including the amount of transactions you process in that month. (In addition to the overall fine, there’s an extra penalty of 15p per transaction for every transaction that has been taken during a non-compliant period). For some businesses, this could be up to five years or more and could be an extremely detrimental amount.
Check your statement
According to the records provided to us by Global Payments, there are over 200 Bira members that, as of 17th June 2019, are not PCI DSS compliant. Some of our members may be unaware of this. To find out if you are being charged, check your statement for the details below.
If you are currently being charged £50 or more for charge number 6320 (NON PCI GF), you are non-compliant. Please note that £50 is currently the minimum charge for non-compliance and as stated previously, this will increase to £75 after July 2019.
The PCI Security Standards Council have also compiled a list of ‘Quick Steps to Security’. These are practical tips that will help you to become PCI DDS compliant. See Maintaining Payment Security to find out more.
When should I complete the PCI DSS forms?
In order to be PCI compliant, there are certain forms that need to be completed. It is required that any organisation involved in the processing of card data completes the following:
- An annual SAQ (self-assessment questionnaire). You can find out more about the self-assessment questionnaire here. The questionnaire comprises a series of yes or no questions that correspond with the PCI DSS requirements along with an ‘Attestation of Compliance’, which is a certification that declares your eligibility to perform the self-assessment.
- A network scan by an ASV (Approved Scan Vendor) every quarter. This is for organisations that process between 20,000-1 million online transactions annually. You can find out more about ASV’s or find an approved ASV here.
Global Payments PCI compliance service – Security Metrics
Some of you may know that Global Payments recently sent out a letter to Bira members outlining PCI compliance. If you received this letter, Global Payments know that you are not compliant with the regulations. They are committed to getting all Bira members compliant and will be calling members via a company called ‘Security Metrics’. If you are called by Security Metrics, it is not a scam. They are assisting Global Payments with ‘Global Fortress’ which is the Global PCI Compliance solution. The fee for Global Fortress is between £3.50 and £7.50 per month depending on the throughput.
For more information about how Global Payments can help your business and to see our negotiated rates for members, call 0345 702 3344 or click the button below.Card processing with Global Payments
Lines are open from 9am to 6pm, Monday to Friday, except public holidays, calls may be recorded.
Global Payments is a trading name of GPUK LLP. GPUK LLP is authorised by the Financial Conduct Authority under the Payment Services Regulations 2017 (504290) for the provision of payment services and under the Consumer Credit Act (714439) for the undertaking of terminal rental agreements.
GPUK LLP is a limited liability partnership registered in England number OC337146. Registered Office: 51 De Montfort Street, Leicester, LE1 7BB. The members are Global Payments U.K. Limited and Global Payments U.K. 2 Limited. Service of any documents relating to the business will be effective if served at the Registered Office under the Payment Services Regulations 2017 (504290) for the provision of payment services and under the Consumer Credit Act (714439) for the undertaking