Powered by WorldPay

 

Streamline Online Login  | 

Contact us 

Image of a florist

Payment and Information Security

How to ensure sensitive cardholder information remains safe whenever a transaction is processed.

Operating Instructions

Print MOI section

Merchant Operating Instructions: Payment and Information Security

The card schemes have set out information security requirements to make sure that sensitive cardholder information remains safe whenever a transaction is processed. As an acquirer, we must make sure our merchants comply with these requirements, which are regulated by the PCI Security Standards Council (PCI SSC), formed by Visa, MasterCard, American Express, JCB and Discover.
 
The PCI SSC has published a set of 12 requirements called the Payment Card Industry Data Security Standards (PCI DSS).  To find out more, visit our dedicated PCI website.



  • Who needs to be PCI DSS compliant? 
  • Any business that stores, processes or transmits card data must comply with PCI DSS – and that includes all merchants who accept cards and any agent they may use.

    PCI DSS is a mandatory programme, so any merchant who doesn’t comply runs the risk of fines, as with any other breach of card scheme rules. As a card acquirer, Streamline has a responsibility to report our merchants’ PCI DSS status to the card schemes (Visa and MasterCard).  This is confirmed in our standard terms and conditions.  
     
    If your business has not begun to work towards PCI compliance, you could be fined by the card schemes. There are also fines for storing Sensitive Authentication Data (SAD) post-authorisation. In extreme cases, non-compliant businesses are subject to an Account Data Compromise (ADC) for which there are fines, plus the potential loss of business and reputation.

Back to top


  • How to keep your customers’ card data secure 
  • To make sure your customers’ card data is secure, you need to comply with all the PCI DSS requirements that apply to your business. The steps you need to take to comply will depend on the size of your business and the type of card acceptance system you have.

    The card schemes have divided businesses into four PCI levels depending on the volume and type of transactions processed. See our Step-by-step guide to find out which level your business is, and what you need to do to comply. The four levels are also set out on our PCI website.

Back to top


  • How to keep your customers’ card data secure 
  • To make sure your customers’ card data is secure, you need to comply with all the PCI DSS requirements that apply to your business. The steps you need to take to comply will depend on the size of your business and the type of card acceptance system you have.

    The card schemes have divided businesses into four PCI levels depending on the volume and type of transactions processed. See our Step-by-step guide to find out which level your business is, and what you need to do to comply. The four levels are also set out on our PCI website.

Back to top


  • If you don’t store any card data 
  • Even if you do not store any cardholder account data in your own systems, you will still need to verify the PCI DSS status of any third parties who act on your behalf to store, process or transmit your customers' cardholder data. Third-party service providers may include:

    • Resellers
    • Software application providers
    • Acquirers
    • Payment service providers (PSPs)
    • Card processing bureaux
    • Data storage entities
    • Web hosting providers
    • Shopping cart providers
    • Miscellaneous third-party agents
    • Software vendors

Back to top


  • A step-by-step guide 
  • To implement PCI DSS you will need to:

    • Find out more about the way your business works
    • Determine whether it handles cardholder account data securely
    • Put a remediation plan in place to address any associated data security risks
     
    This step-by-step guide will help you to do this in a way that is manageable for your business.
     
    Step 1: Get to know PCI DSS
    Your first step should be to read and understand the full details of the Payment Card Industry Data Security Standard (PCI DSS) and its 12 requirements. To see the full and latest version, visit our PCI website.

    Step 2: Map all data flows in your business
    Once you are familiar with PCI DSS, your next step is to put a project team in place within your business. This team’s immediate priority should be to analyse the way that card payments are processed in your business and to map out all the related data flows.
     
    This analysis must:
    • Identify any systems which store cardholder account data
    • Reveal which of these systems are under your direct control
     
    Depending on the size and type of your business, at least some of these systems may be under the control of a third-party service provider or vendor – such as a till vendor, a POS vendor, an integrated solution provider, an Internet Payment Service Provider, a payment gateway provider or a web hosting company. Under your agreement with your acquiring bank, it is likely that your business will be responsible for the activity of these third-party providers.
     
    Once you have completed Step 2, you should be in a position to:
    • Ensure all your service providers comply with PCI DSS
      • To find out more, go to Step 3.
      • If you do not work with any service providers, go straight to Step 4.
    • Implement PCI DSS compliance within your own business
      • To find out more, go to Step 4.

    Step 3: Check and monitor the status of your service providers 
    Under the terms of your agreement with your acquirer, your business is likely to be responsible for the data security activities of any payment service providers (PSPs) who work on your behalf. It is your responsibility to make sure that all these service providers comply with PCI DSS.  
     
    Because cardholder data security is so important for the payment card industry, it is likely that all your service providers will know about PCI DSS. Many providers are already compliant; others have a formal programme in place to become compliant. Service providers (merchant agents or Common Points of Service (CPS)) should register with www.cpsregistration.org to complete their PCI DSS compliance.
     
    We recommend that you regularly track your service providers’ progress towards compliance. If data becomes compromised by a third party you work with, you may be held responsible for any associated costs.
     
    For a current list of service providers that are compliant or working towards compliance, see ‘Procedures and Guidelines’ on the Visa AIS website.
     
    If your service providers are not on this list, you need to ensure that they take action toward becoming compliant. Visa recommends making PCI DSS compliance a contractual requirement for all your service providers.
     
    Your acquirer may seek your support and intervention during Step 3. For example, it may ask you to put additional pressure on a particular service provider – possibly by seeking assurances from them that they will become compliant within a reasonable timeframe.
     
    Step 4: Conduct a gap analysis and scope the project 
    Having mapped out the data flows in your business, you should have identified any of your systems that store cardholder account data. With these systems as your primary focus, you should:

    • Assess how much remediation work may be required to comply with PCI DSS
    • Assess what resources are needed, and how long this work is likely to take
    • Put a project team in place and discuss respective roles and responsibilities – including communicating with your acquirer and service providers, specifying technical changes, establishing training needs, etc.
     
    At this stage you should consider whether to engage the services of a Qualified Security Assessor (QSA) – a specialist auditor, certified by Visa and/or MasterCard to help you achieve PCI DSS compliance. Some merchants appoint a QSA from the outset. Others prefer to carry out the initial scoping work internally and bring in a QSA later for a more thorough review.
     
    For a current list of QSAs, visit the PCI SSC website.
     
    Step 5: Select your validation option
    Depending on the size of your business and how your card acceptance systems are set up, there are different ways in which to test and validate your compliance with PCI DSS.
     
    Level 1 – Merchants processing more than 6 million Visa or MasterCard transactions a year
     
    Level 2 – Merchants processing between 1 and 6 million MasterCard transactions a year
     
    From 30 June 2012, all Level 1 and 2 merchants must appoint a PCI SSC-certified Qualified Security Assessor (QSA) to complete an annual on-site assessment. This is a key change to the existing requirement for Level 2 merchants. MasterCard strongly encourages all merchants who are affected to appoint a QSA as soon as possible.
     
    Level 4 merchants processing fewer than 1 million Visa or MasterCard transactions per year
    Streamline has partnered with Trustwave - a Qualified Security Assessor (QSA) to help with the rollout of the Streamline PCI Compliance Management Programme to all Level 4 merchants. To find out more, visit www.streamline.com/pciportal.  

    About the annual on-site audit 
    The annual on-site audit is an independent risk assessment, usually carried out by a Qualified Security Assessor (QSA), who will follow a standard testing procedure, built around the 12 PCI DSS requirements.
     
    If you currently use a security consultant to do on-site reviews for you, they may be able to carry out the PCI DSS on-site audit. It may also be possible for the audit to be carried out by your own staff.
     
    To find out more, visit our PCI website.
     
    About the quarterly vulnerability scan  
    A vulnerability scan ensures that your IT systems are protected from external threats, such as hacking or malicious viruses. The scanning tools test all your network equipment, hosts, and applications for known vulnerabilities. Scans are intended to be non-intrusive, and are conducted by an authorised network security scanning vendor.
     
    Regular quarterly scans are necessary to ensure that your systems and applications continue to provide adequate levels of protection. If the scans identify any vulnerabilities, you will need to address these and carry out a follow-up scan to ensure that the remediation was successful.
     
    For a current list of providers, go to the PCI Security Standards Council website.
     
    About the annual Self Assessment Questionnaire  
    The Self Assessment Questionnaire (SAQ) is a confidential online tool that can gauge your level of compliance with PCI DSS. By answering ‘yes’ or ‘no’ to a series of questions, you will be able to make a good assessment of your risk level. If the result shows that remediation work is needed, you must then carry out this work before you can comply with PCI DSS.
     
    Most businesses prefer to download a printable version of the SAQ before submitting their answers online. This allows you to obtain accurate answers from the appropriate people in your business. Download the SAQ from our PCI website.
     
    To validate your compliance with PCI DSS, you will need to pass the online SAQ by making sure your business is in a position to answer ‘yes’ to all questions, or indicate – when permitted – that they do not apply to you. You will also need to incorporate the questionnaire into your normal business routines, and ensure it is repeated yearly.
     
    You may wish to complete the entire audit or SAQ process internally, or you could work with a Qualified Security Assessor (QSA) to manage it on your behalf, or advise on aspects of it.

    You will need to validate your PCI compliance through the Streamline PCI Compliance Management Programme by either completing the SAQ online via the TrustKeeper portal or by uploading your Compliance certification documents from a QSA onto the site. This will enable Streamline to report your compliance to the Card Schemes. Please visit www.streamline.com/pciportal.

    Step 6: Plan and implement remediation
    Once you have decided on your validation option, you will probably need to carry out a more thorough gap analysis and develop a full remediation plan to become PSI DSS compliant.
     
    This can be done by your own team, or you could appoint a Qualified Security Assessor (QSA) to provide an independent perspective on your remediation plan.
     
    At this stage, you should give the individual members of your project team specific remediation activities and agree acceptable timelines. Some activities may depend on a third party or vendor becoming compliant, whilst others can be undertaken internally. From a project management perspective, it may seem better to wait until any service providers become compliant, but it’s important to remember that the underlying aim of PCI DSS is the security of your business and of customers’ data, not the compliance process.
     
    Because of this, we recommend that you begin any remediation work on your own systems as quickly as possible. By doing whatever you can as soon as you can, you will be taking a vital step forward in protecting your business and customers against the risk of data compromise.

    Step 7: Certification
    In order to go through the final certification stage, your business will need to:

    • Complete the remediation of all systems under your control
    • Confirm that all your service providers are fully compliant – and that their compliant products and services have been implemented within your own card acceptance systems
     
    When this is done, it will be time for your business – either independently or with a Qualified Security Assessor (QSA) – to carry out the on-site audit, or complete the Self Assessment Questionnaire (SAQ) (depending on your business' PCI level ). The QSA will discuss the outcome of the audit or SAQ with your organisation, and certify your achievement of compliance if the audit has been successful.
     
    You should then confirm to your acquirer that you have achieved compliance. Your acquirer will, in turn, report your status to Visa and any other payment card systems.
     
    As well as being adequately protected against all associated business risks, you will be able to confirm your compliance in your own messaging and marketing collaterals.

    Staying compliant
    PCI DSS is intended to protect your business and customers against real data security risks – it is not a box-ticking exercise. By achieving compliance you can be sure that you are providing an acceptable level of protection, but it is equally important to ensure that this degree of protection is maintained long-term.
     
    To remain compliant, you will need to complete an on-site audit every year, and a Vulnerability Scan every quarter.
     
    We also recommend that you put business processes in place to maintain compliance, including:

    • Reviewing your access control policy regularly
    • Integrating Vulnerability Scans into your regular business routine
    • Ensuring that any new systems or applications are fully compliant
    • Creating procedures to make sure your anti-virus systems are regularly updated
     
    You should also ensure that your service providers continue to be PCI DSS compliant. One way to do this is to incorporate relevant clauses into your contracts with them. It is advisable to make it business policy to avoid dealing with service providers or business partners that are not working towards compliance, or are unwilling to comply with PCI DSS.

Back to top


  • General security information 
    • You must not store Sensitive Authentication Data (SAD) after authorisation even if it is encrypted.  This includes full magnetic stripe data, three- or four-digit security codes and PIN/PIN block information. If you do not need the data, do not store it.
    • You must not use card and verification details for any purpose other than completing the card transaction.
    • You must not pass this information to anyone else, except for the purpose of helping you to complete the card transaction.
    • You are only allowed to keep a separate record of the card number and expiry date, if both these conditions apply:
      • You have the specific agreement of the cardholder, and
      • You are only going to use this information to help with future transactions, such as recurring payments or new orders believing further orders are likely.
    • You must give Streamline current progress updates about your own PCI compliance when asked, so we can update Visa and MasterCard. Failure to supply this information could lead to receiving card scheme-imposed fines for non-compliance.

Back to top