A number of our clients have requested iformation rgarding PCI DSS complience.

The following details and explanation are taken from the Actinic website with amendments relevent to CBN's clients.

Please note that different banks have taken differing 'interpretation' of the standards. The cynical amongst us my interpret that as being where they wish to favour their own products at the exclusion of others.

Actinic uses the CreditCall, one of the largest Payment Service Provider, (PSP), in the World.

The responsibility for PCI DSS compliance rests with individual merchants and lies between them and their card acquirer. Actinic recommend that merchants use the PCIDSS Level 1 certified Actinic Payments PSP service or another compliant PSP service to capture and process their credit cards.
In respect of the Actinic Shared SSL and Paypal Pro Direct Payments services provided by Actinic we can confirm that:

• All servers involved reside behind firewalls in secure Data Centres
• No card data is stored on any Shared SSL server
• All card information is transmitted across the net using SSL or alternative secure encryption
• Actinic’s servers have not yet been formally accredited as PCI DSS compliant

In respect of CBN's hosting provided by Service Centre, we can confirm that:

• All servers involved have individual firewalls and reside in a secure Data Centre.
• Neither Actinic's nor CBN’s service requires accreditation and therefore has not been formally accredited as PCI DSS compliant

In respect of all Actinic Catalog, Business and Enterprise web stores, whether hosted with Actinic or a third party web host, we can confirm that:

• No card data is permanently stored on any Actinic server
• All card information is transmitted across the net using SSL or alternative secure encryption providing that the Actinic application has been configured accordingly by the merchant
• All storage of card data on the desktop is securely encrypted providing that the Actinic application has been configured accordingly by the merchant

Many Payment Service Providers integrated with Actinic are accredited with PCI DSS. Merchants should discuss this with any service provider that they are contemplating using to ensure full compliance.

Merchant web sites hosted on either Actinic or CBN servers are fully PCI DSS compliant provided that they use a Payment Service Provider that is itself fully PCI DSS compliant and the card details are captured at the payment provider ’s servers

Security of payment card data is crucial in the online world. The standard to protect card data is the Payment Card Industry Data Security Standard (PCI DSS). This is a joint venture between Visa and Mastercard, supported by all banks.

Compliance with this standard is compulsory for all merchants who accept payment cards. You must be PCI DSS compliant if you handle, process or store payment card details either on computer or on paper. There are severe penalties if card information is compromised as a result of non-conformance with PCI DSS. As part of your agreement with your acquirer, you agree to these penalties.

You can become PCI DSS compliant in one of two ways.

Firstly, you can become compliant yourself. In practice, this is rather complicated, difficult and expensive. Requirements include physically restricting access to cardholder data; using non Windows-standard security measures; and defining, implementing and monitoring security procedures that meet specific required standards. For the majority of small businesses, achieving compliance will probably not be practical or cost-effective.

Alternatively, you can have your customers and staff enter card details only into sites and systems supplied by a third party who are themselves PCI DSS compliant.

Even if your buyer enters their payment details into a page at your web site and passes them to a PCI DSS compliant PSP, your web site must still be fully PCI DSS compliant, as you are collecting the card details and passing them on. This is because any compromise of your web site would lead to a rogue third party being able to acquire the card details.

The Creditcall infrastructure (which powers Actinic Payments) has been accredited by qualified security assessors to the highest possible standard available under the PCI DSS scheme. Therefore, using Actinic Payments ensures that all servers where you or your customers key in payment card details are PCI DSS compliant.

Please contact Actinic's sales team if you wish to see a copy of Creditcall’s PCI certificate

Please note that there is some disagreement between the banks and security companies as to whether a company is compliant if they use a compliant payment service provider (PSP) such as Actinic Payments powered by Creditcall.

Royal Bank of Scotland/Natwest/Streamline and HBOS have made clear statements that a merchant can depend on the compliance of their PSP. We are in the process of trying to obtain similar statements from other banks. If you are concerned, contact Actinic and we should be able to arrange for you to move to one of the banks with a straightforward and pragmatic policy in this area - and in some cases you will receive reduced rates at the same time.

For more information on PCI-DSS:
https://www.pcisecuritystandards.org/ (the official body responsible for PCI-DSS)
http://forum.pcianswers.com/ (discussion forum about PCI-DSS)