Credit Card Terminals

Credit Card Terminals – Watch Out For And Eliminate Unnecessary Additional Cost

Retailers must ensure that the terminals that accept and process payments of credit and debit cards must be PCI compliant (Plastic Card Industry). For the vast majority of CSNA members, this compliance is relatively easy to obtain. We aware that some other providers (AIB Merchant Services, Elavon, Streamline) effect financial penalties for non-compliance.

To avoid these charges – there is already a charge for compliance, we are providing a Q&A from Streamline. If you are not a Streamline customer, then there are similar actions that you can take to ensure you avoid these additional charges and we suggest you contact your existing supplier for further details.

PCI FREQUENTLY ASKED QUESTIONS

Why are we being asked to validate PCI DSS compliance?

PCI DSS compliance is a mandatory requirement of the Card Schemes and forms part of your Terms & Conditions. It is the merchant’s responsibility to protect themselves and their customers against those who try and obtain cardholder data for fraudulent or criminal purposes.

These requirements state that all businesses that store, process or transmit payment cardholder data need to achieve PCI DSS compliance – even if payments are outsourced. You have 60 days to certify compliance with this programme from the date stated on your letter. Streamline will also impose a monthly non-compliance fee on merchants who are unable to certify compliance through the Streamline Compliance Management Programme.
Who mandates PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of comprehensive requirements for enhancing payment account data security. The founding members of the PCI Security Standards Council; American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa International, developed the standard to help facilitate the broad adoption of consistent data security measures on a global basis.

What are the risks should PCI DSS compliance not be validated?

PCI DSS is a mandatory requirement that merchants must adhere to. Your card Acquirer Streamline can be fined by the Card Schemes for its merchants’ non-compliance and will look to pass these fines on as part of merchants’ Terms & Conditions. Failure to comply with PCI DSS may also leave your business more vulnerable to the possibility of a data compromise – a breach of sensitive data. You have 60 days to certify compliance with this programme from the date stated on your letter. Streamline will also
impose a monthly non-compliance fee on merchants who are unable to certify compliance through the Streamline Compliance Management Programme.

What is the Streamline PCI DSS Compliance Management Programme?

It’s a programme introduced by Streamline to ensure that all merchants validate compliance with the Payment Card Industry Data Security Standard (PCI DSS). Streamline has developed the Streamline PCI DSS Compliance Management Programme in association with its security partner Trustwave, a leading provider of on-demand and subscription-based information security. As a Streamline customer you will have access to a straight forward online programme that will help you take the steps required for self-assessment against this data security standard.

What do we need to do?

You are required to demonstrate your compliance with PCI DSS. This process is called “certification” (or “validation”) for PCI DSS. While the certification process can be complicated, Trustwave provides an efficient set of tools as part of the TrustKeeper portal to help guide you through the process:

1. Follow the steps at streamline.com/pcidss and be guided to Trustwave’s TrustKeeper portal. Once there simply click the “Get Started” button to begin the registration process.
2. Once registered, TrustKeeper’s step-by-step PCI Wizard will walk you through a self-assessment interview. This will ask you about how your business handles and protects your customers’ credit card information.
3. TrustKeeper will use the information you provide to fill out the PCI certification form (also called the PCI Self-Assessment Questionnaire or SAQ), which you will then have the opportunity to review and submit.
4. Merchants who trade on-line may also be required to complete a “network vulnerability scan” (IP scan) to help ensure your store or website is safe from internet hackers. If this applies to you, TrustKeeper will also guide you through this process. The TrustKeeper scan will be carried out monthly on up to 10 IP addresses and a further 12 ad-hoc scans are available as and when required.
5. Take any actions that may be required in order to achieve compliance.

What are the charges?

PCI Annual Management Fee

€36.99 per company. All merchants will be charged this fee regardless of whether they register as compliant or not. This fee reflects the management of their compliance, along with initial and on-going costs of implementing the programme and ensuring that the merchant has a mechanism to validate their compliance. Merchant can avoid this charge if they upload their compliance certification from another QSA in the given timeframes.

Additional charges (not applicable to all merchants)

• IP scan fee (If required) – €42.99 per year per company. This reflects the charge which is passed onto us by Trustwave for each IP scan
• Additional outlet fee (Multiple outlets only) – €17.99 per outlet (Capped at 10 outlets). This charge is applied at outlet level to any merchant which has multiple outlets under a company. This charge reflects the additional administration charges associated with boarding each merchant ID.
• Non Compliance fee – €11.99 per month at company level (only relevant for merchants who do not register as being compliant via the portal). This fee reflects (1) the additional cost and effort involved in us getting the merchant compliant; (2) the exposure to our business of processing payments for a merchant/business that is not certified as compliant; and (3) the increased possibility of the occurrence of a data compromise.
• Verbal Assessment charge – €24.99 per company. Merchants who do not have internet access can contact Trustwave who will talk them through a version of the SAQ. This charge reflects the administration charge incurred as a result of this.

How can Streamline justify these charges?

The fees reflect the initial and on-going costs of managing your compliance to enable you to achieve the security standards required by the PCI Security Standards Council. We have worked with Trustwave to ensure that we have a programme that doesn’t expose you to high costs as seen from other Acquirers.
For a small annual fee, you will receive access to:

• The PCI Wizard, a smart, dynamic tool to help guide your unique business through the entire PCI certification process, filling out the PCI certification form (the Self-Assessment Questionnaire or SAQ) on your behalf
• TrustKeeper’s Security Policy Advisor for assistance with PCI DSS policy requirements and to support development of your own unique internal best practices
• A vulnerability scanning engine that tests for more than 5,000 vulnerabilities, helping to ensure that data at your store or web site is safe from Internet hackers
• Online support resources and a 24 hour free phone multi-lingual customer support desk 00800 4000 5200
• The TrustKeeper Agent – an easy download that helps simplify your scanning requirements (if necessary) and provides on-going compliance monitoring for the system it is installed upon
• Security Awareness Education (SAE) training module.
• Certificate of compliance downloadable from TrustKeeper and a compliance banner that can be displayed on your website to show all visitors that you have achieved PCI DSS compliance. Documentation of your PCI DSS certification, and automatic reporting to your Acquirer or processor.
• If you complete the questionnaire satisfactorily and undertake the actions required to make your business compliant through our Streamline PCI Portal, we will waive our right to pass on up to €43,000 of any subsequent fines and charges levied by the Card Schemes if your business suffers a single data breach. The wavier will be subject to certain conditions which will be available on the Streamline PCI Portal.

How do I stop receiving a non-compliance fee?

Merchants are required to undertake either of the following:

• Upload their certificate of compliance from their chosen QSA to streamline.com/pcidss or
• If they don’t have a QSA certification, log onto streamline.com/pcidss and use TrustKeeper to certify their compliance

Merchant must register and certify compliance at streamline.com/pcidss. They do this by visiting this website, registering and completing an assessment questionnaire.
Merchant must validate compliance by the 15th of the month in order to not receive a non-compliance charge for the month prior. (Charges are based from the middle of the month to the middle of the month i.e.: 15th Jan – 15th Feb)

Who are Trustwave?

Streamline have chosen to partner with Trustwave a leading provider of on-demand data security and payment card industry compliance management solutions to businesses and organisations throughout the world. Trustwave has helped thousands of organisations to manage compliance and secure their network infrastructure, data communications and critical information assets.

If we require help during the process who can we call or email?

Trustwave will be able to help you work through the compliance process should you get stuck. Please call the team on the internationally free number 00800 4000 5200 or email at worldpay@trustwave.com.