PCI Compliance

What is PCI?

You can find full and detailed information here but very generally PCI is a set of rules that any merchant must adhere to should they wish to take or handle credit and debit card details. The rules are meant to help organisations protect themselves from losing card data that can then be used fraudulently.

The number of rules you must adhere to increase in both number and complexity depending on your bank's assessment of the scale and risk profile of your organisation. The more ways you take and store data, the more chance that you can lose it; for example, if you only take card payments through a PDQ machine you are less likely to need complex technology and procedures in place than if you take and store card payments online, in person and over the phone.

The categories of risk are graded from A - D. You will need to check the website or with your bank to find out which category you fall into and to download the relevant questionnaire. 

PCI Vs PAD

You may come across two terms when looking through PCI documentation - PCIDSS and PADSS compliance. The difference between these is as follows:

• PCIDSS: this is the certification which businesses and institutions must complete to show that their organisation as a whole meets the PCIDSS standards.

• PADSS: this certification is for software that is created by another company and then installed on the venues' systems in order to handle card payments. Organisations must only use PADSS compliant software in order to achieve their own PCI Compliance.

For example:  

• The YesEFT program that some venues use to run the Chip & PIN pads is a piece of software that is owned by YESPay but installed on the your PCs (out of YESPay's control). The software must therefore be PADSS compliant so that you can be sure that the software is not in breach of any PCI regulations.

• Spektrix however is not installed anywhere in your venue. We maintain control of it on our own servers which you access through a web browser. It is therefore not in scope for PADSS certification. Instead we must certify it as PCIDSS compliant so that you can accurately claim that you only use compliant 3rd parties.

Is my venue compliant?

We aren't able to provide advice on your own PCI status as that covers more than just your use of Spektrix.

PCI covers anything to do with the handling of cardholder data, including use of PDQ machines (for example in your bar), internal processes, for example staff training and storage of receipts with card numbers printed on etc. You will need to have your own internal policies in place to ensure you are compliant in the way you handle card data. 

However we suggest that use of just the Spektrix system is likely to leave you in a position where you need to fill in questionnaire C and this should be relatively straightforward to complete. Whereas if your previous system had stored cardholder data, you would have needed to fill in questionnaire D which is significantly more complex in its requirements.

We recommend talking to your merchant bank to discuss the first steps in becoming compliant.

Is Spektrix PCI Compliant?

Yes, Spektrix is a level 1 PCI Compliant service provider, meaning that we can handle card data securely without having to defer it to a third party. You can find our attestation of compliance here

The third party providers that Spektrix integrates with are both level 1 service providers - their compliance documentation is as follows.

• SagePay's PCI Cerficate can be found here.

• YESPay's Attestation of Compliance can be found here. Note that this is under their parent company's name, Worldpay UK.

You can also find our listing on the Visa Merchant List here.

What Details Should I Use for PCI Certification?

Most banks now ask you to complete online self-certification forms. Part of this form asks you about the status of your payment applications. This section shows you which details to use on those parts of the form.

 Chip & PIN (SagePay)

• If given the option, say yes to PADSS Certified

• Set the Payment Application to Sagepay Chip & Pin / Integral

• Set Payment Service Provider to SagePay

Chip & PIN (YESPay)

• If given the option, say yes to PADSS Certified

• Set the Payment Application to YESPay YesEFT / Emboss

• Set Payment Service Provider to YESPay 

Ecommerce & MOTO (Customer Not Present) Transactions

• If given the option, say no to PADSS Certified

• Set the Payment Application to Spektrix

• Set the Payment Service Provider to SagePay or YESPay (depending on who you are using - your finance department should be able to tell you this information if you don't already know)

***

PCI is a complicated area, so if you have any more questions please don't hesitate to get in touch with the Spektrix Support team.

• Visa Merchant List Letter.pdf20 KB
• WP Indore AoC v1.0 Signed.pdf600 KB
• PCI-DSS-v3_2_1-AOC-ServiceProviders-Spektrix-2022-Public.pdf3 MB