Any contact centre or merchant that takes payments by debit or credit card must be compliant with the Payment Card Industry Data Security Standard (PCI DSS) directly, or by using a compliant hosting provider that ensures PCI compliance on its behalf.
To be compliant, contact centres and other merchants must meet the 12 requirements of PCI DSS, which consists of a set of detailed security controls to protect payment card data. PCI DSS also requires that all merchants and service providers fully document the relevant processes and procedures they put in place.
What Documentation is Required?
Documentation is an integral part of the PCI DSS compliance programme. It must provide practical operational guidelines for anyone working with payment card data and support all applicable PCI requirements. This is the documentation you must put in place:
- Report on Compliance (ROC) – This form has to be completed by all Level 1 merchants that are undergoing a PCI DSS audit. A Level 1 merchant is one that processes over 6 million transactions per year. The ROC must be used to verify that the merchant being audited is compliant with PCI DSS standards.
- Self Assessment Questionnaire (SAQ) – The PCI DSS self-assessment questionnaire (SAQ) is a validation tool that’s intended to assist merchants and service providers that are permitted to self-evaluate their compliance. Merchants must complete the questionnaire every year and submit it to their transaction bank.
- The 12 PCI DSS requirements – The PCI DSS requirements merchants must meet range from installing and maintaining a firewall and protecting stored cardholder data, to developing and maintaining secure systems and restricting access to cardholder. Every one of the 12 requirements calls for documented evidence to show how the requirements have been met.
- An Audit Trail – Merchants should document as much as they can about their processes and procedures, their network, their configuration and their approach – to create and maintain an audit trail to refer to should a data breach take place.
- Incident Response Plan – It is advisable that all merchants put an incident response plan in place to document the processes that will be implemented if a breach takes place.
How Can PCI Pal Help?
PCI Pal is strictly audited and authorised by the major card schemes that comprise the PCI SSC, which means we’re fully approved to handle cardholder data for any size of business. The result is that all your PCI DSS compliance obligations are taken care of, leaving you to concentrate on growing your business. To discuss your specific requirements, please call our expert consultants today or email [email protected] today.