Guidelines to using SaferPayments for PCI compliance

The Payment Card Industry Data Security Standard (PCI-DSS) aims to enhance security for consumers by setting guidelines for any company that accepts, stores, processes, or transmits credit card information regardless of the number of transactions or the size of those transactions.

If a Paladin client uses WorldPay for their credit card processor, they will have to complete an annual PCI-DSS Compliance questionnaire from SaferPayments. If they do not complete the questionnaire or fail it, then they will be charged a $20 monthly fee until they are compliant.

Important: SaferPayment does make outbound calls to contact stores but will NEVER ask for an MID. If asked for an MID, consider it phishing and report the issue to SaferPayments.

The following sections provide information to help clients successfully pass the SaferPayments questionnaire:

• Complete Business Profile
• Complete Security Assessment

Complete Business Profile

The client will receive an email from SaferPayments instructing them to complete the questionnaire. This email will also provide the credentials needed to log in to saferpayments.yoursecurejourney.com.

1. Sign in to SaferPayments with the credentials sent.
2. Under Your business profile, click Manage.

Figure 1: SaferPayments/Your business profile/Manage

3. In the Before You Begin screen, enable Select this option if it is your first time…

Figure 2: Before You Begin screen

4. Click Next.
5. In the How Do You Accept Payment Cards? window, depending on how the client accepts payment cards, they should check either Face to face, Mail or telephone order, or both.

Note: DO NOT select e-Commerce store. This only applies if the client has their own website where they collect card payments.

Figure 3: How Do You Accept Payment Cards? window

6. Click Next.
7. In the How Do You Accept Your Mail and Telephone Order Customer Card Payments window, the client should check whatever box(es) applies to them. Most likely, the client will enable the Phone option only.

Figure 4: How Do You Accept Your Mail and Telephone Order Customer Card Payments window

8. Click Next.
9. In the How Do You Accept Card Payments Via Mail and Telephone Order window, enable No.

Figure 5: How Do You Accept Card Payments Via Mail and Telephone Order window

10. Click Next.
11. In the Transactions Over the Telephone window, enable My customers give their payment card number over the phone to a person in my organization or call centre.

Figure 6: Transactions Over the Telephone window

12. Click Next.
13. In the Your Telephone System Call Handling window, enable No.

Figure 7: Your Telephone System Call Handling window

14. Click Next.
15. In the Storage of Electronic Cardholder Data window, enable No.

Figure 8: Storage of Electronic Cardholder Data window

16. Click Next.
17. In the Your Employees Access to Data window, enable No.

Figure 9: Your Employees Access to Data window

18. Click Next.
19. In the How You Accept Card Payments window, check I use an integrated Point of Sale (POS) system that includes a connected hardware terminal; payment data is routed through the POS to the processor.

Figure 10: How You Accept Card Payments window

20. Click Next.
21. In the Use of Point to Point Encryption Solution window, enable Yes.

Figure 11: Use of Point to Point Encryption Solution window

22. Click Next.
23. In the Your Point-to-Point Encryption Solution window, enable Yes.

Figure 12: Your Point-to-Point Encryption Solution window

24. Click Next.
25. In the Payment Methods Using Point to Point Encryption window, check Integrated point of sale (POS) system. 

Figure 13: Payment Methods Using Point to Point Encryption window

26. Click Next.
27. In the Your Point-to-Point Encryption System window, for Ingenico ISC credit card devices , type “worldpay” in the search field, then check WorldPay NA P2PE (Combining WP Direct, WP Express & WP B2B).

Figure 14: WorldPay NA P2PE (Combining WP Direct, WP Express & WP B2B)

28. Click Next.
29. In the Your Point-to-Point Encryption System window, for Ingenico Lane credit card devices, type “bluefin” in the search field, then check Bluefin Payment Systems – Bluefin P2PE.

Figure 15: Your Point-to-Point Encryption System window

30. Click Next.
31. In the Your Worldpay Total P2PE window, choose the appropriate answer. The client might have to look at the model number on the credit card device.

Figure 16 shows Ingenico – IWL250 as an example.

Figure 16: Ingenico – IWL250 example

32. Click Next.
33. In the Notice window, click OK.

Figure 17: Notice window

34. In the Your Customer’s Payment Card Authentication Data window, enable Yes, No, Yes.

Figure 18: Your Customer’s Payment Card Authentication Data window

35. Click Next.
36. In the Printed Paper Receipts and Reports window, enable No.

Figure 19: Printed Paper Receipts and Reports window

37. Click Next.
38. In the Other Uses of Card Numbers window, enable No, No.

Figure 20: Other Uses of Card Numbers window

39. Click Next.
40. In the Your Company Policy for Information Security window, enable I do not have an Information Security Policy in place at the moment, I will implement a security policy using the template provided.
41. Click the Download link and save the Security Policy template to the client’s desktop.

Figure 21: Your Company Policy for Information Security window

42. Click Next.
43. In the A Summary of How and Where You Handle Card Payments window, use the answers provided in the following image.

Figure 22: A Summary of How and Where You Handle Card Payments window

The Business Profile is complete.

Back to Top

Complete Security Assessment

There are 5 questions to answer in the five Are Data-Retention and Disposal Policies, Procedures, and Processes Implemented as Follows windows. These questions are:

3.1(a): Is data storage amount and retention time limited to that required for legal, regulatory, and/or business requirements?
3.1(b): Are there defined processes in place for securely deleting cardholder data when no longer needed for legal, regulatory, and/or business reasons?
3.1(c): Are there specific retention requirements for cardholder data? For example, cardholder data needs to be held for X period for Y business reasons.
3.1(d): Is there a quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention requirements?
31(e): Does all stored cardholder data meet the requirements defined in the data-retention policy?

The client should answer Yes to all 5 questions.

1. In the Merchant Executive Officer window, enter the Title and Name of the client’s organization/store executive officer.

Figure 23: Merchant Executive Officer window

2. In the Attestation window, click Confirm your Attestation.

Figure 24: Attestation window

The Security Assessment is complete, and the client is now PCI compliant. 

3. Click Download AOC and save the completed questionnaire to the client’s desktop (AOC stands for Attestation of Compliance).

Figure 25: Download AOC

Back to Top