Frequently Asked Questions | AIB Merchant Services
Frequently Asked Questions

What is data security/cyber security?

Data security is a term which refers to the safeguards a business puts in place to prevent its data from being leaked, stolen or deleted. Data is a valuable asset and the event of it being lost or falling into the wrong hands can be very damaging to a business.

If you were to lose your customer list to an online hacker, including personally identifiable information such as email addresses and phone numbers, this could be particularly damaging for your business. You are responsible for the security of the data you store and need to act to protect it, particularly if you are storing your customer’s data.

What is a data breach?

A data breach is when a business discovers that data stored on their system has been lost or stolen by criminals. Businesses are often unaware their data has been stolen and are only made aware weeks or months after the event. You are required to alert the authorities if you have suffered a breach and must alert customers if their data has been stolen.

If your business is hacked and customers’ personal details are stolen and used to make fraudulent purchases this will cause you serious problems. It will have very negative consequences for your business, including: imposed fines, bad publicity, loss of customer trust and in turn loss of sales.

What is an information security policy?

An information security policy is a policy document that sets out the rules and regulations within a business for handling sensitive data. A good policy will provide clear and concise guidelines on practices such as data handling and deletion. If you do not have an information security policy, a template is provided as part of your subscription. Speak to our agents for more information.

What is meant by “reputational damage”?

“Reputational damage” refers to the negative impact suffering a data breach can have on a business’ reputation amongst its customers and the wider community.

When considering the consequences of not protecting your data, you need to consider the following: How your customers would react if they were to be made aware that their data had been lost to criminals? If your device(s) (laptop, mobile etc.) became infected by malware and didn’t work for a few days, how would this affect your ability to do business? If your website was infected with a virus and went down, how would this affect your sales?

What are computer viruses/malware?

Malware and viruses are malicious pieces of computer software that can alter the way in which your computer or smart phone operates with the intention of disrupting its operations or extracting valuable information.

The effects of viruses vary greatly and depend on the type you have been infected with. Typically, viruses will cause a device to crash or slow down. Other strains will restrict access to or delete your files or lock you out of your system. More advanced forms of malware can extract the information on your system without your knowledge or authority.

Ransomware is a form of malware that locks all the files on the infected system and demands money (a ransom fee) to restore access. You will be unable to access any of your files until you pay the money. This form of infection is increasing in popularity as it provides hackers an easy way to profit from their efforts.

What is a hacker?

A hacker is a term that is used to refer to a criminal who attempts to access systems and networks without the authority of the network owner. Hacking techniques have become very sophisticated in recent times with many organised groups forming to coordinate their efforts. A hacker will typically attempt to breach a company’s defences and then gain access to and extract its data. They will then sell this data on the dark web for use in fraud, identity theft, unauthorised direct advertising or similar crimes.

How will security scanning help my business?

In order to find security vulnerabilities or holes in your defences you must look for them first – that’s how scanning can help. As part of your subscription, we provide you with the tools needed to conduct a variety of different scans to ensure your devices are secure.

The scans help you to make sure you are going that extra mile in protecting your business and reducing your risk of attack by a hacker.

What is a network?

If you operate computers and equipment, including PC’s, servers, firewalls, network devices, wireless access points or POS (Point of Sale) tills on your business premises, this is what is referred to as your network.

To help ensure your data is secure and to maintain compliance with the PCI DSS, you will need to understand how your network is connected and interconnected. For some businesses you may need to engage the help of the IT specialist who may have set up your business network for you.

What is network segmentation?

If your business network is connected to the internet, and your payment terminal is on this network you need to ensure you are taking appropriate security precautions.

To ensure the security of your card payment environment, you will be required to segment the network that your card payment machine or processing software operates on from your day-to-day operations.

You can achieve this by using security software, firewalls and access restrictions. Our team can help explain this to you in more detail if you need help. You may need to engage the help of the IT specialist who may have set up your business network for you for further assistance.

What happens if I don’t maintain my data security?

By neglecting your data security, you are potentially opening your business to an array of potential threats, many of which can be fatal to a small business. Consequences include: The potential loss of sensitive data such as customer contact information, business critical information or trade secrets. Potentially business ending fines for the loss of data. Infection of your devices with malware/ransomware/viruses often rendering them unfunctional causing delays in work delivery or lost functionality. Reputational damage amongst your customers in the event of a data breach. Loss of sales channels such as websites or web applications due to viruses or crashes. Charges for non-compliance with standards such as the PCI DSS.

What is the PCI DSS, and who is it regulated by?

The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide mandate from the PCI Security Standards Council (PCI SSC). The council consists of VISA, MasterCard, American Express, Discover and JCB, (the five major card schemes worldwide).

PCI DSS was established to help organisations accepting credit and debit card payments to ensure controls are in place to prevent fraud. The PCI DSS standard applies to all organisations accepting, processing and/or storing cardholder information from the card brands.

What exactly is the PCI DSS standard about?

Build and maintain a secure network
  1. Install and maintain a firewall configuration to protect data
  2. Do not use vendor supplied defaults for system passwords and other security parameters
Protect cardholder data
  1. Protect stored data (use encryption)
  2. Encrypt transmission of cardholder data and sensitive information across public networks
Maintain a vulnerability management program
  1. Use and regularly update anti-virus software
  2. Develop and maintain secure systems and applications
Implement strong access control measures
  1. Restrict access to data by business need-to-know
  2. Assign a unique ID to each person with computer access
  3. Restrict physical access to cardholder data
Regularly monitor and test networks
  1. Track and monitor all access to network resources and cardholder data
  2. Regularly test security systems and processes
Maintain an information security policy
  1. Maintain a policy that addresses information security.

For more information, please refer to the PCI Security Council’s website: www.pcisecuritystandards.org

Compliance is not a one-off exercise. As a business, you are expected to maintain compliance at all times and must validate your compliance every year.

Who needs to be compliant with PCI DSS?

Any organisation regardless of size or quantity of transactions accepting, storing, processing or transmitting payment card data by card brands.

This includes, banks, payment service providers, public sector organisations, retailers, utility providers, ecommerce, face to face and mail or telephone order merchant businesses.

Why is holding cardholder data a problem?

Unless you are adequately protecting your data, you may be in violation of the Payment Card Industry Data Security Standard (PCI DSS).

If your business is hacked and customers’ card details are stolen and used to make fraudulent purchases this will cause you serious problems and will have very negative consequences for your business, including - imposed fines, bad publicity, loss of customer trust and in turn loss of sales.

What do I do if I need card holder numbers for chargebacks and refunds?

If you need to keep your customers’ card holder data, you must make sure it is protected in accordance with the PCI Data Storage Do’s and Don’ts.

If your business is hacked and customers’ card details are stolen and used to make fraudulent purchases this will cause you serious problems and will have very negative consequences for your business, including - imposed fines, bad publicity, loss of customer trust and in turn loss of sales.

  • This means that you need to ensure that you securely store and encrypt data on the computers you use in your business.
  • You are not allowed to store sensitive authentication data (full track data, card validation code or value, and PIN data) this is strictly forbidden by the PCI DSS.

Our scanning tools can assist you to monitor your policy enforcement. Our team can help explain this to you.

What are the different PCI levels and how are they decided?

A number of different risk levels have been identified by the card brands which have formed the basis of the various PCI levels.

PCI Level 1 businesses are required to carry out an onsite assessment, submitting a completed and signed Report on Compliance (RoC) to their acquirer. An onsite assessment is carried out by a Qualified Security Assessor (QSA) or a fully certified Internal Security Assessor (ISA).

PCI Level 2, 3 and 4 businesses are required to complete a Self- Assessment Questionnaire (SAQ) and submit this to their acquirer.

At any time, we can change the PCI level of your business to level 1. Normally this would apply if your business has been hacked and subjected to a data breach where customer card data has been stolen.

PCI levels are set out by the card schemes as follows:

Visa
PCI level Who does this apply to?
1 Businesses processing more than 6 million VISA transactions annually via all channels or global merchants identified as level one by any VISA region
2 Businesses processing between 1million and 6million VISA transactions annually via all channels
3 Businesses processing 20,000 to one million VISA e-Commerce transactions annually
4 E-Commerce businesses – processing fewer than 20,000 VISA e-Commerce transactions annually.
Non-e-Commerce businesses processing up to one million VISA transactions annually.


MasterCard
PCI level Who does this apply to?
1 Any business that has been attacked or hacked resulting in card data being stolen
Any business with more than 6million combined MasterCard and Maestro transactions annually
Any business meeting VISA’s level 1 criteria
Any business that MasterCard determines should meet the level 1
requirements to minimise risk to the system.
2 Any business with more than 1million but less than or equal to 6million total combined MasterCard and Maestro transactions annually
Anyone meeting VISA’s level 2 criteria.
3 Any business with more than 20,000 combined MasterCard and Maestro e-Commerce transactions annually
Any merchant meeting VISA’s level 3 criteria.
4 All other merchants

Why do I need to comply?

If you accept card payments from your customers, you must do so safely in order to protect your customers’ payment card information. The PCI DSS standard was developed by the card brands to ensure that businesses understand what “safely” means and follow guidelines to prevent fraud.

Not being PCI DSS compliant can be likened to getting into a car with no insurance. If you cause an accident, you will be held liable and you will have to cover the cost of any damages out of your own pocket. PCI DSS works in a similar way, if you are compliant it can be likened to having a basic third-party cover, so the cost of damages is greatly reduced. However, if you are not compliant you will be on the hook for the full cost of a data breach where card data has been stolen, potentially devastating for your business.

I did my PCI DSS compliance last year, why do I need to do this again?

You need to validate your compliance annually. Protecting your business is on ongoing challenge and ensuring that you comply with PCI DSS is ensuring you are taking steps in order to protect your business.

The standard is also updated in line with changing market impacts, for example if you think about how technology has changed the methods in which debit and credit cards can be accepted. In addition, the standard is also updated to ensure that new and emerging security threats are factored in.

Why do I have to do this, isn’t my terminal secure?

Having a PCI validated point-of-sale solution certainly helps your annual PCI DSS assessment, however, it does not guarantee PCI DSS compliance. You have a responsibility to ensure that the relevant policies, procedures and controls are in place (and practiced by you and your staff) to minimise exposure and reduce the likelihood of a data breach. The program will take you through the steps needed to protect your business.

I outsource all my cardholder data functions via a third-party service provider, do I still need to comply to the PCI DSS?

Outsourcing cardholder data functions to a third-party service provider does not exclude a company from PCI compliance. It may reduce the scope of the annual assessment and consequently reduce the amount of time and effort to validate compliance. You need to consider what you and/or your staff do with your customer’s card information. Are you securely destroying receipts? You also need to have a policy in place to ensure that everyone in your business is aware of any possible risk factors.

What happens if I don’t comply with PCI DSS?

Not being compliant with the PCI DSS can leave your business at risk of a breach and breach related costs.


Cost implications and penalties.

Breach related costs normally include chargebacks, card scheme fines, card replacement costs, reputational damage, customer confidence, lawsuits and audits. The exact cost depends on the damage caused, specifically the number of cards compromised so it can add up to a huge cost for any business. Customers will lose trust in your business and the loss of business caused by a damage to your reputation can be difficult to put a figure on.


Formal onsite assessment requiring QSA

If your business has been subjected to a breach you will subject to a forensic investigation, which your business will be required to cover the cost of. As a result of this you will likely be required to suspend any card payment acceptance during this investigation. Once the problem area has been found you will be required to secure this.

Following on from this your business will be flagged as a high-risk business and will require ongoing QSA support until your acquiring organisation is satisfied that you have the correct controls in place keeping your customers card data safe and secure.

How to begin?

Contact your Data Security Plus team via the details below to get started. Our agents will walk you through the whole process.

Will you tell me what I need to do and when?

We will get in touch with you when your PCI is due to expire or when actions are due to maintain your data security. Your service ensures you complete your PCI DSS requirements when they are due. We will be in touch with you as and when tasks are due or if certain areas aren’t completed.

You may need to ensure that our email isn’t being sent to your junk or spam folder. The best way to ensure that our emails are arriving correctly into your inbox is to whitelist our email address. How you do this will depend on your email service provider be it Outlook, Gmail, Yahoo etc.

You can contact us at any time if you need assistance or have any questions.

How do I find my IP address?

On your call to us, you may be asked to provide your IP address. If your terminal is connected via an internet cable you will need to identify the address of this on the internet.

The easiest way to do this is to unplug the cable from the back of your terminal and plug it into a laptop or computer. Go to your preferred browser and go to www.whatismyip.com this will give you a series of numbers and stops, this is the external facing IP address of your business.