What is PCI Compliance?
Introduced by the major card brands, the Payment Card Industry Security Standards Council (PCI SSC) formulated a set of guidelines to enforce a robust card data security process. Any merchant storing, processing, transmitting, or affecting credit or debit card information must always adhere to the standards and certify compliance annually. Regardless of your payment processing method, PCI compliance is a requirement for every business that accepts credit and debit cards.
There are three main reasons why merchants should worry about online data security:
To give your customers peace of mind
To improve your trustworthiness and therefore your sales
To protect yourself from liability and damages
How to confirm your PCI compliance in CardPointe / Fiserv
It is rather easy to fall into the PCI status, 'Not compliant'. 'Not compliant' simply means a form wasn't completed somewhere along the line. It is, however, important to take care of the form sooner rather than later as there will be penalty fees incurred. These penalty fees increase each month the longer it takes to complete the form required to become compliant.
To become PCI Compliant, follow these steps:
Log into your CardPointe account
Click 'My Account' in the navigation bar
Click directly on the 'Non Compliant' status
Once redirected, complete the 17 question form
Note: ACH/BlueChex will always show 'Not Applicable' under the PCI Status column.
How Does Hauler Hero facilitate PCI Compliance in its Development Process
We currently load an iframe payment form from cardpointe/cardconnect. They take all of the payment details and we store a record of the payment transaction with a related token but not the payment source details (PII).
Developer documentation on the iframe product is below and includes PCI 4.X compliancy information.
https://developer.fiserv.com/product/CardPointe/docs/?path=/docs/documentation/HostediFrameTokenizer.md&branch=main
We (Hauler Hero) do not handle payment information such as credit card /debit card information or ACH information. CardPointe's (Fiserv) iframe takes the information and returns a payment token, customers name and amount of the transaction.
Regarding portal fraud prevention:
We recently started appling rate limiting to the payment gateway and customer portal, and limit requests from a single source to our payment gateway/customer portal to 5 requests in 10 second periods. We also use Cloudflare's Web Application Firewall (WAF) with a basic rule set as well as Google Cloud's Cloudarmor web application firewall on our load balancers behind Cloudflare.
Is storing customer's payment details in Hauler Hero PCI compliant?
To ensure that you are PCI Compliant, all Credit Card and ACH payments must be stored in the encrypted Payment details. Payment stored in the notes section or any other section of the software is not encrypted and is not considered PCI Compliant.
**Please note that no payment details should be stored in any note section of the software regardless of PCI compliance. Encrypted payment details is the only safe and secure way to store payments.**