The Payment Card Industry Data Security Standard (PCI-DSS) aims to enhance security for consumers by setting guidelines for any company that accepts, stores, processes, or transmits credit card information — regardless of the number of transactions or the size of those transactions.
If a Paladin client uses WorldPay for their credit card processor, they will have to complete an annual PCI-DSS Compliance questionnaire from SaferPayments. If they do not complete the questionnaire or fail it, then they will be charged a $20 monthly fee until they are compliant.
Complete Business Profile
The client will receive an email from SaferPayments instructing them to complete the questionnaire. This email will also provide the credentials needed to log in to saferpayments.yoursecurejourney.com.
- Sign in to SaferPayments with the credentials sent.
- Under Your business profile, click Manage.
3. In the Before You Begin screen, enable Select this option if it is your first time…
4. Click Next.
5. In the How Do You Accept Payment Cards? window, depending on how the client accepts payment cards, they should check either Face to face, Mail or telephone order, or both.
Note: DO NOT select e-Commerce store. This only applies if the client has their own website where they collect payment cards.
6. Click Next.
7. In the How Do You Accept Your Mail and Telephone Order Customer Card Payments window, the client should check whatever box(es) applies to them. Most likely, the client will enable the Phone option only.
8. Click Next.
9. In the How Do You Accept Card Payments Via Mail and Telephone Order window, enable No.
10. Click Next.
11. In the Transactions Over the Telephone window, enable My customers give their payment card number over the phone to a person in my organization or call centre.
12. Click Next.
13. In the Your Telephone System Call Handling window, enable No.
14. Click Next.
15. In the Storage of Electronic Cardholder Data window, enable No.
16. Click Next.
17. In the Your Employees Access to Data window, enable No.
18. Click Next.
19. In the How Do You Accept Card Payments window, check I use an integrated Point of Sale (POS) system that includes a connected hardware terminal; payment data is routed through the POS to the processor.
20. Click Next.
21. In the Use of Point to Point Encryption Solution window, enable Yes.
22. Click Next.
23. In the Your Point-to-Point Encryption Solution window, enable Yes.
24. Click Next.
25. In the Payment Methods Using Point to Point Encryption window, check Integrated point of sale (POS) system.
26. Click Next.
27. In the Your Point-to-Point Encryption System window, for Ingenico ISC credit card devices , type “worldpay” in the search field, then check Worldpay, Inc – Integrated POS (Worldpay Total) P2PE.
28. Click Next.
29. In the Your Point-to-Point Encryption System window, for Ingenico Lane credit card devices, type “bluefin” in the search field, then check Bluefin Payment Systems – Bluefin P2PE.
30. Click Next.
32. In the Your Worldpay Total P2PE window, choose the appropriate answer. The client might have to look at the model number on the credit card device.
The following shows Ingenico – IWL250 as an example.
33. Click Next.
34. In the Notice window, click OK.
35. In the Your Customer’s Payment Card Authentication Data window, enable Yes, No, Yes.
36. Click Next.
37. In the Printed Paper Receipts and Reports window, enable No.
38. Click Next.
39. In the Other Uses of Card Numbers window, enable No, No.
40. Click Next.
41. In the Your Company Policy for Information Security window, select I do not have an Information Security Policy in place at the moment, I will implement a security policy using the template provided.
42. Click the Download link and save the Security Policy template to the client’s desktop.
43. Click Next.
44. In the A Summary of How and Where You Handle Card Payments window, use the answers provided in the following image.
The Business Profile is complete.
Complete Security Assessment
There are 5 questions to answer in the five Are Data-Retention and Disposal Policies, Procedures, and Processes Implemented as Follows windows. These questions are:
3.1(a): Is data storage amount and retention time limited to that required for legal, regulatory, and/or business requirements?
3.1(b): Are there defined processes in place for securely deleting cardholder data when no longer needed for legal, regulatory, and/or business reasons?
3.1(c): Are there specific retention requirements for cardholder data? For example, cardholder data needs to be held for X period for Y business reasons.
3.1(d): Is there a quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention requirements?
31(e): Dose all stored cardholder data meet the requirements defined in the data-retention policy?
The client should answer Yes to all 5 questions.
In the Merchant Executive Officer window, enter the Title and Name of the client’s organization/store executive officer.
In the Attestation window, click Confirm your Attestation.
The Security Assessment is complete, and the client is now PCI compliant.
Click Download AOC and save the completed questionnaire to the client’s desktop.
If you have questions or suggestions about this information, contact firstname.lastname@example.org.