Visit eMerchandising™ Shopping Cart Incentive Solutions or call Vodat International on 0161 406 1820

PCI DSS Consultants UK

Vodat’s PCI DSS consultants can reduce your PCI compliance costs, show you how to reduce your PCI DSS liability and reduce your bank charges and charge back fees.

Dune Selects Vodat for MPLS Netowrk

Dune

Lush Boost Customer Throughput

Lush Network

Vodat

White Stuff Speeds Communication

White Stuff

TJ Hughes Stores

TJ Hughes

Beaverbrooks

Beaverbrooks

Mosaic streamlined and freshened with Vodat International Ltd

"We decided to take a fresh approach to our network and to streamline communication between stores. The speed of delivery of sales data, transactions and applications now means that each brand is more efficient in its working practices."

What Flavour PCI is Your UK Retail Business?

This article will help you decide where you are with regard to PCI compliance.

It should be read in conjunction with these PCI council publications..

  1. Pciss_10_common_myths
  2. Instructions_guidelines_v1-1

In summary and with reference to the above documents the rules associated with identifying what each retailer needs to comply with in terms of levels and self assessment questionnaires are as follows:

  1. PCI compliance is required for all businesses that accept payment cards - even if the quantity of transactions is just one (see Myth 7).
  2. Depending on the scale of a merchant's business and the configuration of their card acceptance systems, there are different ways in which to test and validate compliance with PCI DSS.
  3. The scale of the merchant's business is addressed by the VISA compliance validation levels (see "A Guide for Merchants", Section 7):
    1. Large Merchants (Level 1) processing more than 6m transactions per year are required to complete an annual on-site audit and a quarterly vulnerability scan
    2. Merchants processing between 1m and 6m transactions per year (Level 2), or for e-commerce merchants more than 20,000 transactions per year (Level 3), are expected to complete an annual Self-Assessment Questionnaire and a quarterly vulnerability scan
    3. Other (smaller) Merchants (Level 4) are recommended to complete an annual Self-Assessment Questionnaire and a quarterly vulnerability scan.
  4. Where a Merchant, other than Large Merchants, is expected or recommended to complete an annual Self-Assessment Questionnaire the version of SAQ (A-D) to be completed is based on the configuration of their card acceptance system. A Merchant may complete the entire Self-Assessment process internally or they may work with a Qualified Security Assessor.
  5. The Self-Assessment Questionnaire (SAQ) A-D that best applies to a merchant can be determined using the SAQ validation types (1-5) that describe different configurations for card acceptance systems (see "PCI DSS Self-Assessment Questionnaire - Instructions and Guidelines", "Selecting the SAQ and Attestation that best apply to your organisation" on page 8). SAQ validation type 1 is the simplest configuration through to SAQ validation type 5 being the catchall for all merchants that are not covered by SAQs A-C.

The purpose of the Visa compliance validation levels (1-4) is to define whether an annual onsite audit and quarterly vulnerability scans are required (Level 1) or whether completion of an annual Self-Assessment Questionnaire and quarterly vulnerability scans are expected (Level 2 & 3) or recommended (Level 4). Note the emphasis on required, expected and recommended.

If a Merchant qualifying for compliance validation level 4 chooses not to complete an annual SAQ and/or a quarterly vulnerability scan, they are still responsible for satisfying the requirements of the PCI DSS and, in turn, they are liable for any loss of cardholder data.

In terms of SAQ validation types and SAQs, Vodat International offer a service that allows the retailer to satisfy the criteria for SAQ validation type 4 and, therefore, are able to use SAQ C to test and validate compliance with PCI DSS. SAQ C is attractive as it does not require the retailer to carry out penetration testing which is a requirement of SAQ D and can cost several thousands of pounds per annum.

For more information about Vodat's PCI DSS compliant solutions for UK retailers, please visit PCI DSS Consultants or call Vodat International on 0161 406 1820 or contact us by e-mail.

Added: 23/10/2008 11:41:29

<< back to industry comments

Mosaic Lush Fat Face Suits You Faith Beaverbrooks TJ Hughes Jaeger Herbert Brown 99p stores