Reasons to choose PCI Compliance Solutions from Columbus UK
Accredited Level One PCI DSS Certification
Our hosted telephony and card processing platforms have accredited Level One certification for PCI DSS compliance with security at the core of everything we do.
Outstanding PCI Compliance Solutions
We offer a wide range of highly secure, reliable and easy to use solutions which helps organisations across all sectors descope their environment of sensitive data.
A Flexible Approach to Commercials
Low capital investment and affordable monthly licensing. Instant refund and re-processing functionality. No charge for declined or refunded payments.
Exceptional Customer Service & Account Management
We’ll work with you closely to identify the compliance challenges that you need to address and provide comprehensive guidance and recommendations.
Mitigate risk, minimise capital investment and save time and resource with cloud-based PCI Compliance Solutions
Columbus PCI Compliance solutions are designed to help you meet and maintain PCI DSS by descoping your organisation from the requirements of the regulations. All transactions (telephone and online) are handled off site with no sensitive data provided to anyone within your business throughout any part of your payment workflows. Find out more below.
What is PCI DSS
PCI DSS is the worldwide Payment Card Industry Data Security Standard that was set up to help businesses process card payments securely and reduce card fraud. This is achieved through the enforcement of tight controls surrounding the storage, transmission and processing of cardholder data that businesses handle. PCI DSS is intended to protect sensitive cardholder data.The payment standard has 12 high-level requirements which are divided into six categories. This includes:
- Build and Maintain a Secure Network
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
Why is PCI DSS Compliance Important
Achieving compliance with PCI DSS means that your organisation is doing its utmost to keep valuable information safe and secure and out of reach of individuals and other entities that could use your data for illicit purposes. Whilst reaching and maintaining PCI DSS is critically important for any business that stores, transmits or processes card data, compliance is much easier to achieve for businesses that do not hold data and this significantly reduces the risk of your customers being affected by a data breach. So in essence if you don’t need the data, don’t store it.
If I'm not compliant, what may happen?
If you do store card data and you suffer a data breach (i.e. lose card data) and you are not PCI DSS compliant you may be prevented from accepting payments by card and you could incur card scheme fines for the loss of this data which could be up to £50,000 per infringement. You may also be liable for any fraud losses incurred against lost card data and the operational costs of replacing the accounts. If you are suspected to have suffered a data compromise, you will be required to engage with a PCI Forensic Investigator (PFI) to establish the source of the breach to ensure any compliance gaps are closed. The cost of a forensic investigation can run into thousands of pounds. You will be liable for these costs if evidence of a compromise is established.
Whilst the monetary fines and other costs are considerable, the reputational damage to your business could also be catastrophic as customers may lose confidence in your ability to secure their sensitive personal, business and card data.
What can lead to a data breach?
There are many vulnerabilities that can lead to data breach including:
A computer virus is a program that can replicate itself and spread from one computer to another. The term ‘virus’ is also commonly used to refer to types of malware, often referred to as adware and spyware programs that do not have a reproductive ability. Viruses can increase their chances of spreading to other computers by infecting files on a network file system or a file system that is accessed by another computer.
A computer worm is a self-replicating malware program, which uses a computer network to send copies of itself to other computers and nodes on the network without any user intervention. Unlike a computer virus, it does not need to attach itself to an existing program. Worms almost always cause harm to the network, even if only by consuming processing power or bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.
A Trojan Horse may allow a hacker (also known as a computer criminal), remote access to target a computer system. Once a Trojan has been installed onto a computer system, a hacker may have access to your computer remotely resulting in them being able to perform various operations, but these may be limited by user privileges. Operations that could be performed by a hacker on a computer system include:
- Using the machine as part of a botnet (e.g. to perform automated spamming or to distribute Denial-of-service attacks)
- Data theft (e.g. retrieving passwords or payment card and personal information)
- Installation of software, including third-party malware
- Downloading or uploading of data on the user’s computer
- Modification or deletion of files
- Keystroke logging (where hackers can track and record your keystrokes – anything that you type into your computer)
- Watching the user’s screen
Trojan Horses require interaction with a hacker to fulfil their purpose, though the hacker need not be the individual responsible for distributing the Trojan horse. It is possible for individual hackers to scan computers on a network using a port scanner in the hope of finding one with a malicious Trojan horse installed, which the hacker can then use to control the target computer.
Spyware is a type of malware that can be installed on computers, which collects small pieces of information about users without their knowledge. The presence of spyware is typically hidden from the user and can be difficult to detect.
Key questions you should ask
Here are some key questions you should consider to evaluate your PCI DSS compliance:
- Do your employees ask for card details over the telephone?
- Can you ensure data is not written down or entered into a separate application?
- Can you ensure that photographs or screenshots of transactional data are not taken?
- Are DTMF tones played to employees?
- Are you able to fully maintain the PCI DSS standard and keep card details completely secure?
If you are unable to fulfil any of the above questions then descoping your organisation from the requirements of PCI DSS, whilst benefitting from a fully accredited Level 1 card processing service is essential for your business.
What is PCI Descoping
Descoping provides a way of reducing the number of obligations that are relevant to your business in relation to PCI DSS processes. The simplest means to achieve this is to pass the responsibility to a third party provider. This usually reduces the overheads assigned to PCI DSS compliance related activities whilst also increasing the level of PCI compliance your business can attain for operational purposes (i.e., using a Level One compliant solution provider).
What are the benefits of a Hosted Solution?
Many PCI DSS solutions are premise-based and require investment in additional hardware and software which needs to be maintained. This can often involve hardware add-ons which are connected to your phone system alongside software updates for your phone system and servers, additional cabling, handsets and more besides. Updates or changes to the infrastructure are not straightforward and it is typical that the solution vendor as well as the phone system maintainer will need to be on site to carry out upgrades and changes which can be costly and disruptive.
Significant investment is usually required and there are CAPEX costs to consider as well as OPEX-based maintenance contracts for the PCI solution and on-premise phone system. Moreover the on-premise solution is disadvantaged on the basis that the Service Level Agreement (SLA) is usually inferior to a hosted or cloud-based PCI compliant solution. This is because if there is a hardware failure an engineer will need to visit the site to assess the issue and if the correct spare part is unavailable (a phone system trunk card for example) a subsequent visit will need to be arranged to replace the damaged part. During this timeframe, you will are unlikely to be able to operate very efficiently, if at all. As cloud based solutions are operated in secure, managed data centres they offer much better reliability and superior response and fix times. Depreciation is also a major factor when installing hardware and service replacement / continuity needs be considered as the hardware nears end of life.
On the other hand implementing a hosted solution provides increased flexibility, it’s easier to leverage improvements in technology without the cost of on premise software upgrades, allows you to rollout the service anywhere with very little CAPEX, it does not require hardware and phone system changes on-site and provides very efficient SLAs due to the solution(s) being accessible in a cloud environment at any time.
Solutions designed to descope your business from the requirements of PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) organisation was created by major credit card companies in 2006 to establish processes for card data security and many organisations subsequently invested in expensive, on-premise compliance systems to ensure payment card data was secure and met PCI Compliance obligations. Despite the development of rigorous guidelines to protect sensitive card data, over time, fraud, theft and numerous, notable network breaches at major organisations have demonstrated that weaknesses still exist in some businesses. On-premise compliance systems need to be continuously monitored, maintained and secured otherwise a breach could be very costly.
We believe there is a better way to mitigate risk without the significant capital investment and resources required to meet and maintain the very latest PCI Compliance requirements. Columbus Cloud Compliance solutions achieve this by descoping businesses from the requirements of PCI DSS and keeping sensitive card data completely outside of standard operational workflows. Our cloud first approach to PCI Compliance ensures that no one within an organisation has access to any sensitive card data at any time, whether the solution is telephony or web-based or both.
Columbus PCI Compliance Services
Columbus PCI Agent
Our hosted Level 1 solution allows callers to enter their own card details whilst staying on the call with a live agent. Hassle free and 100% fully Level 1 PCI DSS compliant.
Columbus PCI AUTO IVR
Using our advanced cloud-based platform, our AUTO IVR solution enables you to capture, integrate and process card payment information without the need for an agent.
Columbus PCI Online
Our 3D-Secure technology is designed to reduce the possibility of fraudulent card use by authenticating the cardholder at the actual time of the online transaction.
Columbus PCI Mobile
Rapidly develop apps to assist in the processing of mobile payments, integration with back-end systems, mobilising the workforce and providing real-time information.
Want to find out more about Columbus PCI Compliance Solutions? Get in touch.
Columbus are very flexible in their approach to our demands, keeping control over our business connections, supporting our remote staff & providing us with a value for money service. The friendly efficient staff are always on hand to help when required.Jerry GriffinFacilities Manager, PEI-Genesis UK Ltd
We originally approached Columbus to help us fill the gaps in our inbound solutions portfolio. Due to their fantastic support, customer service and willingness to work closely together, we have worked in partnership for over 10 years. This has resulted in significant advances for our mobile, SIP and Hosted PBX offerings. The key area any business appreciates most is the ease in which it can engage, plan and deliver projects for customers with its partners. With Columbus, we can always provide a great service for our customers… we simply do not get the same level of service from any other company.Christian CoeManaging Director - Telecoms Advisor Ltd
Working with Columbus is easy; they are great partners and the team responds quickly to our requests for input. In fact, they are the most responsive and easy to work with partner we have, even when we have challenges to resolve.Gabrielle AlamManaging Director, Eyes2market UK Ltd
Latest from the Columbus Blog…
Cameron Stevenson at Columbus UK wins QA Scotland Tech Apprentice of the Year 2023
KnowBe4 ranked as the top Security Awareness Training Platform
Apple security flaw – update your Apple devices
KnowBe4 Named a Leader in The Forrester Wave for Security Awareness and Training Solutions
“Make operational life simpler by switching to a single, reliable and trusted solution provider and concentrate on what’s really important to your business.”
What We Deliver…
Outstanding customer service and account management
A single supplier to help you consolidate services and reduce costs
Hassle free switching from your incumbent provider
Excellent network coverage and resilience
Extensive, high quality portfolio of services covering voice, data, mobile and IT
Reduced admin time with a single invoice for all services and a single point of contact
Big savings on multiple service bundles, competitive tariffs and accurate and timely bills
Commercial strength, stability and longevity