main navigationproduct navigationsite support navigationpage contentuseful information navigation
Lloyds TSB Cardnet
Home > News 

Latest News

 

Storage of Data and Use of Agents Statement Insert May 09


• What is the Payment Card Industry Data Security Standard (PCI DSS)?
A- The PCI  Data Security Standard is an alignment of Visa’s Account Information Security (AIS) and MasterCard’s Site Data protection programmes. It is a global standard for cardholder account data protection across all parties in the card payment chain- which includes acquirers, third party processors and merchants.

• Why has this standard been introduced?
A- The Card payment industry is concerned about the increasing incidence related to stolen cardholder account data. These thefts have resulted in merchants and financial institutions suffering fraud losses, unanticipated operational expenses and the significant inconvenience to cardholders.

• How does PCI DSS apply to me ?
A - PCI DSS applies to all entities that store, process or transmit cardholder data. The standard applies to manual processing and storage of cardholder data as well as electronic methods of storage.
PCI DSS compliance applies to a merchant’s overall environment (including any third parties used by the merchant that would store, process or transmit cardholder data). These third parties may include the following:
- Till and EPOS vendors
- Software Application Providers
- Payment Service Providers
- Data Storage Providers
- Web Hosting Providers
- Shopping Cart Providers
- Software Vendors

 • What do I have to do to become compliant?
A- According to your merchant level you will either have to complete an annual Self Assessment Questionnaire (SAQ), or an Annual On-site Security Audit. The SAQ is primarily aimed at small to medium businesses to demonstrate compliance and you may want to engage the help of a Qualified Security Assessor (QSA), but this is not mandatory. On site security audits have to be validated by a QSA.
In addition, if you have an e-commerce presence, you may have to complete quarterly Network Scans, which have to be validated by an Approved Scanning Vendor (ASV)

• Where can I find more information about this standard, Qualified Security Assessors/ Approved Scanning Vendors and where can I get the Self Assessment questionnaires from?
A- Through the dedicated PCI Security Standards Council website PCI Security Standards

• How do I know which Self Assessment Questionnaire (SAQ) applies to me?
A-The type of questionnaire you'll need to complete will vary on how you take payments, if your business is using the hosted payment page provided by your third party payment service provider (PSP) to accept card payments or whether you are storing cardholder data on your own systems. To find out more about which SAQ applies to your business and to download the SAQ documentation, please see the PCI DSS Self Assessment Questionnaires 

 • This is the 1st time I have heard about this, how does this affect me?
A-LTSB Cardnet have previously communicated to all it’s merchants via statement messages and inserts over the last few years and high level detail is in our Operating Manual. Merchants within the Card Scheme defined levels1& 2 (merchants doing in excess of 1 million Visa or MasterCard transactions annually) and level 3 (more than 20,000 Visa or MasterCard e-commerce transactions annually) have already been communicated to and we are liaising with these merchants individually. 
For merchants operating in a e-commerce environment where cardholder information is retained, we would recommend working toward this standard to protect your business and your customers.


• What risk is my business exposed to by not complying with PCI DSS?
A- By implementing and maintaining compliance with these requirements, you will be taking an important step towards protecting your customers' information from potential hacking and fraud.

• What should I do if I suspect compromise of cardholder information?
A- In the event that card transaction data is accessed or retrieved by any unauthorised entity, please notify us immediately by calling the Cardnet Helpline on  01268 567100. This will not only minimise risk to the payment system, but more importantly protect your customers.   Systems and procedures are in place to immediately stop the unauthorised use of compromised data, but are effective only when you do your part to promptly report a security incident.