During the pandemic, more and more of us made use of online payments. Because we were in lockdown and couldn’t go out, there were few alternatives. Even if we were a little circumspect about paying online, doing so became a matter of increasing importance to feed our families and go about life normally.
It is comforting to know that, in these unusual times, there is an industry framework that exists to protect you and your data from those who would otherwise abuse it. This is known by the catchy title of PCI DSS – Payment Card Industry, Data Security Standards. These standards set out how processors of card information should handle your purchase and thus minimise the chances of your card data falling into the wrong hands.
As a shopper/cardholder making a purchase, there is very little evidence of this standard, as almost everything goes on within the processing environment of your chosen online shop or service provider.
Network security – The network that holds your data is both physically secure and not open for the world to connect to.
Database security – The database that holds your data is secure and not open to attack.
Premises security – The building that holds the servers, data and people that process your data is secure and has policies to detect intrusion.
Process security – The processes within the business are documented and secure. Your data is handled correctly – it isn’t written down on a post-it note!
Data security – Data transmitted is encrypted and cannot be read by anyone without permission or the keys to decrypt.
Ask for proof of PCI certification – All successful PCI applications are provided with a certificate issued by a Qualified Security Assessor (QSA) that confirms the organisation details and their level of PCI accreditation. Ask to see a copy of the certificate; it can take a lot of time and cost to successfully complete the PCI certification process. Your supplier should be happy to provide their certificate.
How many levels of PCI certification are there? For service providers, companies that facilitate school payments, there are just two levels of PCI compliance:
Check whose name is on the certificate! For smaller payment providers, a self-certification process is available. Although the company completes its own security questionnaire before it’s checked by the QSA, you should always see the name of your chosen payment processor on the PCI certificate. Passing off your bank’s certificate does not show PCI compliance.
You could argue that there is greater security with third-party testing and confirming the organisation’s compliance. However, self-certification should just mean that the volume being processed is below the 300,000 transactions per annum level.
If you have concerns regarding your current provider please contact the team, we’re here to advise and support your school.