How to Take On-Site Payments and be PCI DSS Compliant
PCI compliance? Learn what it means and how to become PCI compliant with SumUp.
SumUp is a card acceptance company and it is currently available in 15 markets. They have created a unique device that allows small merchants to accept card payments anywhere. More importantly, all they need to start is a smartphone and a tiny SumUp card reader. Additionally, the company has also developed a full suite of SDKs and APIs for third parties to integrate card payments into their mobile apps, as is exemplified by their partnership with Commusoft. Therefore Commusoft integrates seamlessly into SumUp, the leading online payment solution, both on Android and iOS.
What is PCI compliance?
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for companies that use credit cards from major card schemes including Visa, MasterCard, American Express, Discover and JCB. The PCI DSS is managed by the card brands and administered by the Payment Card Industry Security Standards Council. They created the standard in order to increase cardholder data control and to reduce fraud. As a result, you should fulfil a set of detailed requirements if you want to gain PCI compliance. There are six conditions:
- Build and maintain a secure network and systems
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Monitor and test networks
- Maintain an information security policy
The standard is quite broad considering all the available ways of managing payments. Therefore, select requirements may not apply in certain cases. Otherwise, third parties like SumpUp can manage part of them.
You can prove your PSI compliance by annual self-assessments or on-site audits depending on the merchant level.
How does it affect you?
“I’ve spoken to many clients in the last year or so who all take credit cards to secure bookings. The big problem is that they do it improperly. Writing it down on paper, storing it in the ‘notes’ field or scribbling it on the top of a job sheet are all ways of getting your business in serious trouble. PCI compliance is something all businesses need to go through if they intend to accept credit cards. So many businesses ‘tick the box’ as PCI DSS compliant but don’t follow the guidelines. This means they could be at serious risk of being fined and having their merchant facilities revoked.”
Jason Morjaria, Commusoft founder
Now that we’re all concerned, could you tell us how to gain PCI compliance?
“First, you have to know which level you are as defined by each credit card brand. Your level depends on the number of transactions made with each card type. Every level has its compliance validation requirements and they are articulated on the card scheme’s website. Let’s take a look at Visa’s. As a result, SumUp is within level 1 for Visa and goes through annual on-site assessments conducted by approved auditors.”
“It’s also useful to contact your acquirer bank and inquire with them directly. Depending on your level, you’ll have a specific self-assessment questionnaire (SAQ) to submit for your company which is a survey asking if you fulfilled all the relevant requirements. There are five kinds of SAQs: A through D. Your SAQ will depend on several factors like whether you store cardholder information, accepts cards in-person or online or whether you use your payment system or a third parties’ etc.”
Christine Lariviere, Products & Services, SumUp
You may also have to pass a vulnerability scan by a PCI SSC Approved Scanning Vendor (ASV)
To gain PCI compliance, you may also have to pass a vulnerability scan by an Approved Scanning Vendor (ASV), depending on your SAQ. ASVs are organisations that validate adherence to certain DSS requirements by performing vulnerability scans. Therefore they check the Internet-facing environments of merchants and service providers for cross-site scripting, SQL injection, and remote file inclusion, to name a few. Finally, you will complete the corresponding Attestation of Compliance and submit everything together: the SAQ, evidence of passing the ASV scan (if applicable), the Attestation of Compliance and any additional documentation your acquirer may request.
Using a verified third party payment processor, like SumUp, eliminates this workload as it covers the vast majority of its merchants for PCI DSS compliance (except under rare circumstances where a trader is processing colossal volumes). The merchant must in turn respect the payment provider’s terms and conditions.
Christine Lariviere, Products & Services, SumUp
With Commusoft’s SumUp integration, you can store a card against a customer, ready to charge the client at a later date. Commusoft stores the card details securely in line with PCI compliance rules. the Commusoft app connects via Bluetooth with the SumUp card payment terminal. Therefore it’s simple to use and will take payment in seconds! All services that SumUp and Commusoft provide are compliant and assessed.
How does PCI DSS compliance benefit your business?
According to Christine Lariviere, there are many advantages to being PCI DSS compliant:
- Peace of mind: you can rest easy knowing you’ve done everything possible to protect your customer’s payment information.
- Establish a reputation as trustworthy: you can advertise that you comply with the highest industry security standards, passing the peace above of mine onto your customers. Of course, this helps grow your customer base – and profits.
- Avoid penalties: the card brands may fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass the fine along to the merchant and may terminate your account as a result.
How does the Commusoft and SumUp integration push bigger businesses to allow payment on-site from engineers’ mobiles?
Jason Morjaria let us in on this small secret. Firstly, if you’re struggling to keep track of payments, then taking a payment right on site should help you reduce your debtors days and improve cash flow. Commusoft has made storing cards simple. When your engineers complete the job on their Android phone, they can now take payment straight away using SumUp on their Commusoft app. That will allow you to receive payments for invoices upon completion immediately and on-site!
Found this webinar useful? In addition to videos, we also have other resources available to you for free! Besides eBooks and checklists, guides and whitepapers, Commusoft publishes a weekly blog too. Here you can find top tips on how to improve your field service business, advice from experts and secret strategies that will put you ahead of the competition.