Sage 200 - PCI DSS compliance for Sage 200

NOTE: This document has been produced as a general guide. You should seek specialist advice from your bank or payment card supplier to ensure that your business is compliant with the current regulations.

What is the PCI SSC?

The Payment Card Industry Security Standard Council (PCI SSC) is a group who manage the security standards and requirements for the use of payment cards and the data stored on them. At present, the council consists of the five major payment brands: Visa, MasterCard, American Express, Discover and JCB.

What is the PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is the security standard for companies that handle cardholder credit card and debit card information. Set by the PCI SSC, it ensures that companies who access and use cardholder data have adequate security to reduce the chance of payment card fraud.

PCI SSC only specifies the required standard of security. The individual payment card brands, such as MasterCard and Visa specify the thresholds of transactions that require either an external assessment or a Self-Assessment Questionnaire (SAQ).

Checking that the standards are followed is carried out annually by an external Qualified Security Assessor (QSA) for companies that handle a large volume of transactions. Companies that handle small volumes of transactions can validate their security via an SAQ.

So what does that mean for my business?

You may be asked by the bank that you use to handle your card payments to prove that you are compliant with the PCI DSS.

What you have to do to prove compliance depends on the volume of transactions that you handle and the software that you use to process card details. It may also depend on the requirements of the bank that you use to handle your online card payments.

More information about tools needed to validate compliance can be found on the PCI DSS website: https://www.pcisecuritystandards.org/security_standards/.

Self-Assessment Questionnaires (SAQs)

One of the tools needed to validate compliance is the SAQ form. SAQs are used by companies to self-assess their compliance to the PCI DSS. The PCI DSS 'SAQ Instructions and guidelines' document should be used to identify which SAQ applies to a particular environment.

Payment applications such as Sage Pay are only a small part of a company’s self-assessment. The SAQ covers other areas such as the company’s network, firewalls and password policy. The following information may be useful to Sage 200 customers when selecting and completing their Self-Assessment Questionnaire.

• Sage 200 does not store cardholder data.
• Sage 200 handles cardholder data but does not facilitate authorisation or settlement. The Sage 200 application is not eligible for validation under PA-DSS, according to the PCI security standards checklist ‘Applications Eligible for PA-DSS validation’.
• Sage Pay is a PCI DSS Level 1 payment service provider. The PCI DSS website lists all certified payment applications: https://www.pcisecuritystandards.org/security_standards/vpa/vpa_approval_list.html.
• If you use Sage 200 with integrated card payments, then your payment application (Sage Pay) is connected to another system in your environment.