PCI DSS compliance and our Takeaway Ordering Websites

If you have taken one of our takeaway ordering websites, a payment gateway from Worldpay, a PDQ terminal or an internet connected EPOS to take card payments in your shop you will have received or will receive an invoice from Worldpay for £29.99 plus VAT (£35.99 in total). This invoice will be for PCI DSS services.

We also receive these invoices for our Worldpay gateways for CheapTakeawayWebsites.com and CheapTakeawayMenus.com. Due to increased standards in security, particularly when it comes to personal and financial information, mandatory compliance with data security requirements has become all the more important and necessary.

We were keen to find out more about what this payment is for so we carried out some detailed research and confirmed our findings with our contacts at Worldpay. We have collated the information and you will find it presented below. It’s worth noting that these regulations may change at any time so it is important to keep yourself informed.

So what is PCI DSS?

PCI DSS stands for “Payment Card Industry Data Security Standards” and is controlled by the PCI SSC which stands for “Payment Card Industry Security Standards Council”. You can find more information about them and what they do here.

PCI DSS is the set of rules implemented by the PCI SSC which govern the payment card industry worldwide. PCI DSS is a set of consistent data security measures around the world which is used to reduce credit and debit card fraud. It is for the benefit of all merchants (i.e. takeaway owners), the card suppliers (the bank that supplies the debit card or the institution that supplies the credit card) and the end user of the cards to protect everyone from their fraudulent use.

It is used to protect the card information (card number, card owners name, card owners address and the three digit CVV security code on the back of the card) while the information is being collected, stored by any merchant and transferred for authorization with the financial institute.

Who are the PCI SSC?

This is the body that controls the PCI DSS and was set up on 15th December 2004 by the five major card suppliers (Visa, MasterCard, American Express, Discover and JCB) who combined their individual policies to form the first standardized set of policies version 1.0 of the PCI DSS.

Why do we need PCI DSS?

Simply… to protect your business from credit and debit card fraud.

Why do we have to pay for PCI DSS?

PCI DSS Version 3.0 came into effect on 1st January 2015. In the old version 2.0 the type of gateway (redirect gateway) we used on our sister site CheapTakeawayMenus.com and our takeaway ordering websites did not require any PCI DSS compliance from merchants; everything relating to PCI DSS was taken care of on the merchants’ behalf by the gateway provider Worldpay. In the new version of PCI DSS, version 3.0, ALL merchants on all types of gateways including “redirect gateways” must but be part of the PCI DSS process.

Why aren’t PayPal charging us for PCI DSS?

PayPal’s gateway is also a “redirect gateway” but PayPal handle all the PCI compliance and our website does not require compliance with PCI DSS. This is because PayPal already have the customer’s payment info stored in their system so when someone uses the PayPal gateway they sign into the PayPal gateway for PayPal to access their account details with the stored payment methods. So there is absolutely no collecting, storing or transferring of any card information.

In short PayPal take full responsibility for PCI compliance. As the Worldpay redirect gateway takes the payment data every time a transaction is processed merchants must be part of the PCI compliance process.

Can we use one of the other types of gateways?

At present no you cannot. The other types of gateways will require a higher level of security on the takeaway websites, the hosting where the websites are stored and a generally more in-depth level of PCI DSS compliance. If companies like Sony, Microsoft and Apple fail to protect their websites from hackers we feel that we are better off not storing any payment on our takeaway websites and for the foreseeable future will keep using a redirect gateway so Worldpay are responsible for the security of the data.

Do the takeaway ordering websites need the security scans and testing like the other gateway types?

No, unlike the other types of gateways available the gateways we use on the takeaway ordering website do not require any security scans or testing. But the PCI DSS compliance forms must be submitted every year as part of the compliance process.

Why does my PDQ Terminal require PCI DSS compliance?

Because you use it to collect and transmit the payment card information to the financial institute for approval your terminal requires PCI DSS compliance. Small merchants are prime targets for data thieves. It’s your job to protect cardholder data at the point-of-sale.

What are the implications of PCI DSS for my business?

Every year you must ensure that your businesses website, PDQ machines and EPOS equipment are PCI Compliant by filling in a self-assessment form, by emailing CheapTakeawayWebsites.com or by telephoning Worldpay to give them the information required for compliance. See below for more information on what to do.

How much does it cost?

Every website, terminal and EPOS will required to be PCI DSS compliant and WorldPay have set their fees at £29.99 + VAT per year per merchant to cover all the gateway connections (SAQ A, B, C and CVT below). This is payable in January every year while you require compliance. This MUST be repeated every year.

All merchant customers are charged this fee regardless of whether they register as compliant or not. This fee reflects the management of their compliance, along with initial and ongoing costs of implementing the programme and ensuring that the customer has a mechanism to validate their compliance.

This will be collected with your regular monthly direct debit payments made to Worldpay. If you have been charged for more than one instance of £29.99 +VAT this is in error, please contact Worldpay to rectify this.

What if we do not become compliant?

If you fail to become compliant within the first three months of your connection of the website or terminals you will be penalised £9.99 +VAT per month per merchant. You are also running the risk of fines and losses due to card fraud being made against your business.

How does your business become compliant?

You can phone Worldpay, fill in the forms yourself and send them to Worldpay or email CheapTakeawayWebsites.com with the info listed below:

• 1 By Phoning Worldpay – You can phone Worldpay on 08458740110 with your merchant id number ready and someone from the compliance team will help you to complete the forms. If you have difficulty please email CheapTakeawayWebsites.com with the info listed below so we can deal with this on your behalf.
• 2 By Emailing CheapTakeawayWebsites.com – Alternatively our customers can email info[at]cheaptakeawaywebsites.com with your full name, business name, business address and your merchant ID number and with your permission we can forward these to the PCI team at Worldpay on your behalf to complete the assessment on your behalf.
• 3 Fill the form yourself – Select the correct form depending on the compliance you require. You can check the type of PCI compliance you require from the below options. Once you have successfully completed your SAQ form you need to submit to the Payment Security Team mailbox at paymentsecurity@worldpay.com

Which Form do you use, or which type of PCI DSS do the websites require?

Our takeaway ordering websites require you to use the SAQ A V3 form:

SAQ A V3
Outsource all Cardholder Data (CHD). Card not present, transactions only – all card processing outsourced & no Card Data ever seen.
• Card not present
• No Card Data on premises – all outsourced
• Third party is PCI DSS compliant – i.e. Worldpay who are PCI compliant
• No Electronic Storage of CHD
• Download SAQ A
Which type of PCI DSS do the PDQ terminals require?
If the terminal uses the telephone line and not the internet use SAQ B V3 form.
SAQ B V3
Imprint or standalone dial-out terminals only.
• Imprint machine or Standalone, dial-out terminal only
• Dial-out terminals not connected to the Internet or any other systems
• Dial-out terminals not connected to the Internet, connected via phone line to your processor or Acquirer
• No CHD over the Internet
• Only paper records retained (e.g. merchant copy of receipt with full Card number)
• No electronic storage of CHD
• Download SAQ B
If the terminal uses the internet and not the telephone line use SAQ C-VT V3 form.
SAQ C-VT V3
Virtual terminals only. Web-based virtual terminals only, no electronic CHD storage.
• Third party hosted virtual terminal only, accessed by an Internet connected web browser
• Merchants computer not connected to any other systems within environment
• Isolated in a single location, not connected to other locations or systems within environment (can be achieved with network segmentation)
• Virtual terminal solution provided and hosted by PCI DSS validated service provider
• No software installed or hardware attached to merchant computer that captures or stores CHD
• Only paper is retained
• No electronic storage of CHD
• Download SAQ C

Which type of PCI DSS do EPOS terminals connected to the internet require?

If you have an EPOS (electronic point of sale equipment) that is connected to the internet to take payments via a terminal use SAQ C V3 form.

SAQ C V3
Internet connected payment application. POS or payment system connected to the Internet, no electronic storage of Card Data.
• POS or payment system and Internet on same device
• POS not connected to any other systems
• Single store location
• Only paper records retained
• No Electronic Storage of Card Data
• POS vendor provides support
• Download SAQ C
Click to get more info on the SAQ forms

Are the fees remaining the same?

Both MasterCard and Visa are about to change the fees for using debit cards from the set transaction fee to a small percentage with a maximum cut off transaction fee of “x”. Unfortunately we or Worldpay do not know what this new fee will be until Visa have finalised it. We will keep you informed when we know more. We understand the new fees will be available soon and we will keep you informed.

Leave a Reply

Your email address will not be published. Required fields are marked *