Payment Gateways and PCI Compliance

As a merchant who accepts credit card details your business must be PCI compliant. The scope of this is broad and covers elements for security of your on-site credit card machines, whether you take credit card details over the phone through to the online element of your business.

Customers who use traditional payment gateways when filling out their PCI self assessment questionnaire similar simply need to note they do not store process or transmit any credit card data. There are no further online costs associated with this.

Customers using one of our invisible payment gateways:
Sagepay Direct (Protx Direct)
HSBC Invisible
Velocity Invisible

... should be aware these methods count as transmitting credit card details and as a result are liable to pay for a quarterly scan from PCI scanning company like Security Metrics, Trustwave or similar.

For more information on becoming certified and remaining PCI compliant, you should contact a PCI standards qualified security assessor.

Evolve Payment Gateway Intergrations:

Evolve supports many payment gateways so that customers can accept credit card details in a fully PCI DSS compliant manner. Using Evolve with any of these payment gateways makes you a level 4 merchant and you may fill in PCI compliance questionnaires but you are not required to do so.

PCI Standards Site
Link to FAQ item, covering PCI requirements for merchants who do not store, transmit or process any credit card details, e.g. if you use any of the below payment gateways.

Sagepay

(formally Protx, including standard and direct)

Sagepay Security Policy Certificate of Compliance

RBS Worldpay

Statement of Compliance

Secure trading

Statement of Compliance Certificate of Compliance

Paypoint

(formally Secpay)
Statement of Compliance Certificate of Compliance

Paypal

(including standard and express options)
Statement of Compliance

Netbanx:

Statement of Compliance

Velocity

A statement of PCI compliance could not be located
Website

Barclaycard EPDQ

Statement of Compliance Certificate of Compliance

Iridium

Website Iridium are a subsidiary of datacash:
Statement of Compliance Certificate of Compliance

HSBC

Website
Statement:
Further to your query regarding HSBC Merchant Services' compliance towards the Payment Card Industry Data Security Standard, (PCI DSS) I can confirm the following:

HSBC Merchant Services LLP is responsible for the security of cardholder data that HSBC Merchant Services LLP processes. HSBC Merchant Services is a Card Scheme member and as such, we have no specific mandatory date by which we need to be PCI DSS compliant.

However as an entity we are already Sarbanes-Oxley compliant and meet various other standards. Compliance is achieved through a combination of:

* Internal audits of our systems against bank standards and procedures, using a specialist HSBC IT audit team.
* IT security reviews and checks of internal systems and networks.
* Use of KPMG (the Bank's internal auditors) to review our IT
procedures and processes to ensure mandatory HSBC Merchant Services LLP compliance to the FSA rules and regulations.

There is no requirement to issue a Certificate of Compliance for our card processing facilities to our customers.

Regards

Chris M PRIOR (Mrs)
PCI Compliance Manager | HSBC Merchant Services LLP
51 De Montfort Street,Leicester,Leicestershire,LE1 7BB,United Kingdom

If any of the information on this page is out of date, please Contact Us about it.

top ^