Payment Card Industry Data Security Standards (PCI DSS)
The latest Payment Card Industry Data Security Standard (PCI DSS) is a complex set of rules and requirements that applies to every person, business or organisation that processes credit information as from October 1, 2007. This includes any person, business or organisation that receives, stores, processes or transmits credit card data.
The PCI DSS is a product of the Payment Card Industry Security Standards Council, an organisation founded by participating payment brands Visa International, Master Card, American Express, Diners Club and JCB. The purpose of the Payment Card Industry Security Standards Council is to establish a uniform world wide standard to aggressively addresses vulnerability and risk associated with the handling of credit card data across all industries.
The PCI DSS ushers in a new secure era of which will ultimately have a tangible impact on helping to reduce credit card fraud the world over.
PCI DSS in 'Plain English'
The official definition of who and what is now required to have PCI DSS compliance is:
"PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If a PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply". From 
PCI DSS
So, if your website touches the PAN (Primary Account Number) which is usually the 16 digit credit card number itself in any way, even if it is only to transmit it directly to a 'real time' payment gateway, or perhaps to store it in some way, then your online business (website) must be PCI DSS compliant certified in its own right. The applicable PCI DSS criteria is as follows:
- Level 1 - Visa and MasterCard World Wide transactions totalling 6 million and up, per year, and any merchants who experienced a data breach.
- Level 2 - Visa and MasterCard transactions totalling 1 million to 6 million per year.
- Level 3 - Visa and MasterCard e-commerce transactions totalling 20,000 to 1 million per year.
- Level 4* - Visa and MasterCard e-commerce transactions totalling 1 to 20,000 per year.
*The vast majority of all those businesses or organisations operating e-commerce websites on the internet today fall into the Level 4 classification. It is most likely your online business would do so as well.
PCI Compliance is not a request, or suggestion, it is now a requirement and is enforceable.
Any person, business or organisation that qualifies into any of the above compliance levels but is found to not be compliant with PCI DSS, risks not being allowed to handle card holder data and possible fines of between $10,000 to $500,000.
Thinking of Accepting Credit Cards Online?
If you have a website that is, or is about to ask for credit card details to be entered into it for processing by a 'real time' payment gateway, or if you are planning to capture and store credit card data online in some way yourself, then please download the latest PCI DSS (pdf) documentation to learn what you will need to do to become PCI DSS compliant.
Your website is (or will be) transmitting or storing credit card data therefore even if you only do, say, a few transactions per month you are in the Level 4 classification (see above) and your website will be required to have its own PCI DSS compliance to avoid your exposure to the possibility of penalties, which can be severe. Please feel free to have this confirmed directly by Visa Asia Pacific and/or MasterCard, they both have main offices in Sydney.
Why e-Path is an Excellent Solution
When you use e-Path as your payment gateway your website will not be touching credit card data or have anything to do with receiving or transmitting credit card data in any way. Your customer is redirected to your secure e-Path gateway where they will be entering their credit card details within our own highly secure PCI DSS compliant environment. Therefore, your own website does not fall under any of the above classification levels and thus will not need or require PCI DSS compliance.
e-Path, PCI DSS and McAfee™
e-Path utilises the Payment Card Industry Data Security Council approved and compliant McAfee™ PCI DSS (Payment Card Industry Data Security Standards) program. McAfee™ is a PCI Approved Scanning Vendor (ASV).
McAfee™ is best known for their HACKER SAFE trustmark and is a world leading provider of webserver security services including card vendor PCI (Payment Card Industry) compliance services.
The McAfee™ PCI Compliance program meets the requirements of Visa's CISP and AIS, MasterCard's SDP, American Express' DSS, DiscoverCard and JCB.
McAfee™ performs complex security and vulnerability scanning on an almost continual basis and provides e-Path with concise information on the continued security and PCI DSS compliance status of our secure server.
The 'device' is the secure server used to exclusively perform the e-Path secure credit card payment gateway service on the internet.
It is physically located in a secure datacentre which operates to a non-access to server infrastructure standard.
|
|
Above: The above graphic is an actual screen capture of part of a McAfee™ report on the security status of the secure e-Path gateway server (device). |
While the actual physical security of our secure server is critical, it is how secure the server communicates and operates the actual gateway functions on the internet that is one of the main contributing factors in determining compliance to PCI DSS. In this regards, as in all other areas, e-Path does not compromise.
Please see e-Path Security for information on how the mechanics of e-Path's manual payment gateway affords protection for merchants and card holders that extends beyond that of the PCI DSS.
For further information on PCI DSS and other associated security standards:
PCI Security Standards Council - Supporting documentation
Visa International
MasterCard
American Express
Discover Card Network
|
|
|
|
|
 |
|
 |
|
|
|
 |
|
 |
|
|
|
|
|
|
|
|
|
|
This website makes no determination as to the suitability of the e-Path service for your particular personal or business needs.
e-Path is an Australian based global provider of the e-Path Internet Credit Card Payment Gateway Service.
All Rights Reserved - Copyright 2005, 2006, 2007, 2008 E-PATH PTY LTD
ACN:124032917 | ABN:70124032917
 |
|
The Payment Gateway
