What PCI DSS means, to you and to us.
What is PCI DSS?
PCI DSS is a set of standards and procedures set up by the major card providers such as Mastercard and Visa,
which must be followed by merchants and all others who transmit, store, process and dispose of credit and debit card data.
PCI DSS stands for Payment Card Industry Data Security Standards, designed to reduce card fraud.
What does PCI DSS mean to you?
It is designed to allow you to use your card with confidence and security, whether online, over the phone, or in a shop.
Merchant compliance should reassure you that your card data will not be stolen nor left carelessly lying about,
or even thrown in the bin without being shredded securely or incinerated - or left on an insecure computer.
What does PCI DSS mean to us?
To achieve compliance there are very secure procedures that must be followed at all stages with your card data;
your data must be encrypted at all times, from entry onto online order forms, during transmission over the internet,
or while temporarily stored on any computer.
Access to your data must be restricted to authorised personnel only, it must be stored
securely while needed, then paper copies destroyed by shredding or incineration.
We had to fill in a huge SAQ - Self-Assessment Questionnaire, held on record by our Merchant provider.
We also had to have external automated scans on our outward facing computers (e.g. webserver) which are repeated regularly.
The scan is very thorough, and simulates attempts by a hacker to break into and take control of that computer,
or obtain sensitive information.
What are and were the target dates for PCI DSS compliance by merchants?
The date for PCI DSS compliance was 31st December 2008, we believe we were compliant then.
We have taken cards online since 1998 and had no security compromises.
Our Merchant Services provider (was Bank of Scotland, is now Streamline/Worldpay through FSB),
required us to register PCI DSS compliance by 31st March 2010.
Has Elmbronze Ltd (trading as Totally Herby of Scotland) formally registered PCI DSS compliance?
Yes (Dec 2009). We're pleased our first test scan (a half-hour of continual server bombardment)
showed only 3 low risk failures, two secured by our hidden multi-layer security, the third a theoretical exposure,
with no known incidences worldwide of actual exploits.
We made immediate changes, passing the qualifying scan two hours later.
Our PCI DSS (and Data Protection) controller is a family member,
with 28 years in DP/IT up to year 2000, in banks and financials, and IBM as well as manufacturing.
The questionnaire is more suitable for a multi-national corporation, but your card data needs to be just as securely
handled by a family business, as a large one.
Compliance lasts a year before it has to be renewed,
but can be revoked at any time by the acquiring merchant bank.
We review security constantly.
Please also visit our privacy