How to Take On-Site Payments and be PCI DSS Compliant
Video
Commusoft integrates seamlessly into SumUp, the leading online payment solution.
SumUp is poised to become the first ever global card acceptance brand and is currently available in 15 markets. The company has also developed a full suite of SDKs and APIs for third parties to integrate card payments into their mobile apps, as is exemplified by our partnership with Commusoft.
What is PCI DSS compliance?
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for companies that use credit cards from major card schemes including Visa, MasterCard, American Express, Discover, and JCB. The PCI DSS is managed by the card brands and administered by the Payment Card Industry Security Standards Council. The standard was created to increase cardholder data control and to reduce fraud, and your acquirer requests compliance. The standard is composed of a set of detailed requirements that you should fulfil. It consists of six main areas, which are:
- Build and maintain a secure network and systems
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Monitor and test networks
- Maintain an information security policy
The standard is quite broad considering all the available ways of managing payments. Therefore, select requirements may not apply in certain cases. Or else, they are taken over by the third parties, like SumUp.
You can prove the compliance with the standard by annual self-assessments or on-site audits depending on the merchant level. More on this later.
How does it affect you?
Jason:
I’ve spoken to many clients in the last year or so who all take credit cards to secure bookings. The big problem is that they do it improperly. Writing it down on paper, storing it in the ‘notes’ field or scribbling it on the top of a job sheet are all ways of getting your business in serious trouble.
PCI DSS compliance is something all businesses need to go through if they intend to accept credit cards. So many businesses ‘tick the boxes’ as PCI DSS compliant but don’t follow the guidelines, and you could be at serious risk of being fined and having your merchant facilities revoked.
Now that we now that we’re all concerned, could you both tell us how you get compliant?
Christine:
First, you have to know which level you are, as defined by each credit card brand. Your level depends on the number of transactions made with the card type. Each level has its compliance validation requirements, and they are articulated on the card scheme’s website.
You can check out Visa’s PCI compliance statement here.
Therefore, SumUp is within level 1 for Visa and goes through annual on-site assessments conducted by approved auditors.
It’s also useful to contact your acquirer bank and inquire with them directly. Depending on your level, you’ll have a specific self-assessment questionnaire (SAQ) to submit for your company, which is a survey asking if you fulfilled all the relevant requirements. There are five kinds of SAQs: A through D. Your SAQ will depend on several factors, like whether you store cardholder information, accepts cards in-person or online, whether you use your payment system or a third parties’, etc.
You may also have to pass a vulnerability scan by a PCI SSC Approved Scanning Vendor (ASV)
You may also have to pass a vulnerability scan by a PCI SSC Approved Scanning Vendor (ASV), depending on your SAQ. ASVs are organisations that validate adherence to certain DSS requirements by performing vulnerability scans (to check for cross-site scripting, SQL injection, and remote file inclusion, for example) of Internet-facing environments of merchants and service providers. Finally, complete the corresponding Attestation of compliance, and submit everything together: the SAQ, evidence of passing the ASV scan (if applicable), the Attestation of compliance, and any additional documentation your acquirer may request.
Again, using a verified third party payment processor, like SumUp, eliminates this workload as it covers the vast majority of its merchants for PCI DSS compliance (except under rare circumstances where a trader is processing colossal volumes). The merchant must in turn respect the payment provider’s terms and conditions.
Learn more about PCI DSS compliance here.
Jason:
You can now store a card against a customer, ready to charge the client at a later date. Commusoft stores the card details securely in line with PCI DSS compliance. Commusoft app connects via Bluetooth with the SumUp card payment terminal. It’s simple to use and will take payment in seconds! All services SumUp and Commusoft provide are compliant and assessed.
How does PCI DSS compliance benefit your business?
Christine:
There are many advantages to being PCI DSS compliant:
- Peace of mind: you can rest easy knowing you’ve done everything possible to protect your customer’s payment information.
- Establish a reputation as trustworthy: you can advertise that you comply with the highest industry security standards, passing the peace above of mine onto your customers. Of course, this helps grow your customer base – and profits.
- Avoid penalties: the card brands may fine an acquiring bank $5,000 to $100,000 per month for PCI DSS compliance violations. The banks will most likely pass the fine along to the merchant and may terminate your account as a result.
How do Commusoft and SumUp integration push bigger businesses to allow payment on-site from engineers’ mobiles?
Jason:
Firstly, if you’re struggling to keep track of payments, then taking a payment from the site should help you reduce your debtors days and improve cash flow.
Commusoft has made storing cards simple. When your engineers complete the job on their Android phone, they can now take payment straight away using SumUp on their Commusoft app. That will allow you to receive payments for invoices upon completion, on-site!