Blog | Are you PCI-DSS Compliant?
27th August 2013
Today we had an interesting discussion with a potential new client who operates their own eCommerce platform. Given that our remit as consultants means we discuss more than just design and functionality, we asked them about their processes – from stocking supplies to taking payments.
Given how devices such as iZettle, Square and WorldPay Zinc have become so popular in making the face-to-face transaction process so much easier, we were quite surprised when the company declared they were fully compliant without really understanding the process. For those of you who aren’t aware let us explain.
Plug in payments
Imagine you are a taxi driver, and having dropped someone off at Manchester Airport you ask for the £12.50 fare. Your passenger realises they don’t have enough cash on them, so you whip out your iZettle. Plugging it into your iPhone or Android device, you key in the amount due, ask for the customers’ mobile number and hand it to them. The passenger approves an ‘authorisation text’, confirms by signature the amount requested on the iPad and gets a receipt sent to their email address.
It works the same way with retail stores, market stalls and anyone else who wants to take card payments on the go.
The iZettle misunderstanding
Although a purely online retailer, this company had mistook simplicity for compliance. He wanted an option whereby customers could phone him up and pay – perhaps the website was down or they simply preferred shopping that way. So he would take their card details over the phone and process the transaction himself.
And that’s where compliancy kicks in.
IZettle state on their OWN security page that “iZettle is approved by EMV (Europay, MasterCard and Visa) and adhere to the requirements of the global “Payment Card Industry Data Security Standard” (PCI DSS) for handling card data.”
This means that where they directly take the card details onto their server, they are approved for processing and storing those details. However, where this client was potentially storing the same card details, and where those details could potentially be reused or stolen, he would also have to be PCI-DSS compliant.
As an eCommerce business using SecPay and Paypal for online transactions, the risk and responsibility is borne by those two payment gateways where it is their server that captures the actual details (the website redirects to a customised page owned and hosted by those organisations). He never sees the full card details of online transactions so is automatically exempt.
How to become PCI-DSS compliant
Anyone who is storing card details (name, address, card numbers and dates) is legally required to use that data appropriate to which it was given (i.e. a transaction of expected amount) and then store that data securely, defining who has access and under what circumstances it will be disposed of.
These processes and named responsibilities need to be written up, signed and available for review by any organisation or customer. The UK Card Association and global PCI DSS Security Standards Council publish some great guides for small and larger businesses.