Mid-tier merchants can reduce the scope of PCI-DSS with YESpay - a QSA perspective

Share Article

PCI at a glance: Mid-tier retailers and e-commerce merchants are the classic targets of organised card fraudsters aiming to illicitly use and sell card data, as the size of card data flowing through their store environments is significant. A fresh new security perspective of point-to-point encryption (P2PE) is provided by FortConsult A/S, which significantly reduces the merchant PCI compliancy headache.

To combat fraud, card schemes such as Visa, Discover, American Express, JCB International and MasterCard are forcing tier 1 and certainly tier 2 retail brands to comply and accredit to PCI-DSS, Payment Card Industry Data Security Standard. Merchants now have to protect all their customer cardholder data by using encryption technology during storage and transaction processing. Merchants must also follow network security, access control and other PCI requirements to create a safe retail payments environment.

As PCI-DSS compliance requirements are evolving, it is important to keep up with all of the standards because business security depends on it. So, the Council recommends that professional Qualified Security Assessors (QSAs) be chosen to assist organizations with maintaining these standards and deal with the compliance issues.

YESpay has been proactive and undertaken PCI-DSS Level 1 certifications since 2006 with its QSA, FortConsult A/S. YESpay has already gone an extra mile to achieve PA-DSS certification for its EFT payment client applications installed in the retailer Point Of Sale (POS). Further, the company has chosen Fort Consult, a well-trusted QSA in the European market to constantly keep up with the PCI standards and ensure data security for its retailers. Recently, YESpay interacted with Lars Syberg from FortConsult, Denmark to look a little deeper into the PCI standards and its importance in Point-to-Point Encryption.

Helped further by FortConsult, YESpay is now also focusing on the new PCI recommendations of incorporating Point-to-Point Encryption (P2PE) from the PIN Entry Device (PED) to its payment gateway, thus reducing PCI approval scope for its merchants as card data is no longer present unencrypted in retail stores environments.

YP: How important is Point-to-Point Encryption in terms of data security?
Lars: Point-to-Point Encryption is very important because data security is really hard to maintain for a merchant. It’s more or less impossible to manage where there are large numbers of employees that you cannot have control on. So the only way is to not have too much internal security but just to make sure that the data is not being stolen. Here is where point-to-point encryption plays a significant role. It does not allow the merchant to get access to the card data, which means that even if someone hacks that merchant he will not get access to any card data!

YP: What role does an outsourced payment gateway play in helping merchants mitigate PCI compliance?
Lars: Point-to-point encryption is the latest recommendation by the PCI Council to ensure data security. It offers several benefits to retailers due to which it has become their only choice for the future. With the rising indispensability of P2PE and the hassles of PCI compliance attached with it, the service providers would now have a more important role in the payment business. Until now retailers outsourced payment transactions to the service providers but now they will need to outsource security as well if they want to mitigate PCI.

YP: Why is a QSA important from the point of view of a merchant as well as a payment gateway?
Lars: Payment cards are one of the most haunted faces of the Internet by hackers and hence it is very important to maintain high levels of security leaving no possibility of card data breaches. Where a service provider makes an effort towards keeping the systems secure, a QSA is its tool to ensure and maintain a particular level of security while keeping in accordance with the standards. According to the council, merchants also need to be PCI compliant, which can be a humungous task if their system stores high volumes of card data. This is where merchants would also need a QSA.

YP: What is your role as a QSA in maintaining data security for YESpay? And how has the journey been so far?
Lars: Looking back, it’s been 5 good years of working for YESpay ensuring that their payment solutions are according to the PCI-DSS and PA-DSS standards and the best practices of data security. YESpay was one of the first PSP to be awarded PCI-DSS certification in 2006 in the UK. We have always seen them trying to lead the markets in terms of being compliant whether it was for the PCI-DSS standards or PA-DSS certification of payment applications. The PCI assessment conducted by FortConsult was again successfully concluded in July 2012 with the submission of a compliant ROC and AOC to Visa and MasterCard.

Now FortConsult is also working with YESpay to make sure that we should be following the point-to-point encryption standards. They are one of our first customers to have started working with Point-to-Point Encryption too.

About YESpay International Limited
YESpay International Ltd., a global card payments service company, provides highly secure Internet, EMV Chip & PIN, contactless and gift card payment processing services to independent and multi-chain merchants. Through EMBOSS, the YESpay Managed Payment Service, merchants can quickly accept integrated card payments within EPOS, kiosks, hospitality and e-commerce systems with minimal capital investment and low on-going services costs. EMBOSS is an on-line IP-based payment processing service that has been generically pre-accredited by major Card Acquirers in Europe and North America (including First Data Merchant Service (FDMS), Chase Paymentech, Barclaycard Business, HSBC, HBOS, Lloyds Cardnet, Streamline, Ulster Bank, Elavon, PBS, Amex and Diners). In addition, the YESpay EMBOSS service is fully end-to-end certified to Payment Card Industry Data Security Standards (PCI DSS) Level 1 as mandated by Visa and MasterCard. The YESpay EasyV-Suite of card payment products is innovative and cost-effective for EPOS, Kiosk, Hospitality, Mobile and Internet environments. With the YESpay EMBOSS card payment service, merchants can perform card payments in both card-present and card-not-present environments.

Contact details:
UK Headquarters: Checknet House, 153 East Barnet Road, Barnet, EN4 8QZ, UK | +44 - 203 - 006 – 3790
Canada Office: 116 Spadina Avenue, Suite 201, Toronto, Ontario, M5V 2K6, Canada | 1 855-YES-PAY- 1
PR Contact: Nitasha Jain, Marketing Manager, ext. 402, Nitasha(dot)Jain(at)yes-pay(dot)com marketing(at)yes-pay(dot)com

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Nitasha Jain
YESpay International
+44 (0)871 221 9510 402
Email >
Follow us on
Visit website