01
Global Fortress
is designed as a fi rst line defence to provide you
with the resources to help you in your fi ght against fraudsters. It
simplifi es the process for you to achieve and maintain Payment
Card Industry Data Security Standard (PCI DSS) compliance,
by giving you access to the resources you need to protect your
customer card data.
What Is Global Fortress?
The Benefi ts Of Global Fortress Include:
A one-stop shop of resources to help you achieve PCI DSS compliance. Access to SecurityMetrics™, our
Qualifi ed Security Assessor (QSA) partner for this product, who will support you in taking the necessary steps to achieve PCI DSS compliance. With SecurityMetrics™ and us here
to help, you will have the information and support you need to achieve and maintain your PCI DSS compliance. Access to SecurityMetrics™
PANscan™ – a simple to use tool that will help ensure you aren’t storing customer card data.
You can avoid our non-compliance charge and you will reduce your risk of incurring substantial fi nes imposed by the Card Schemes.
When you sign up to Global Fortress, the remainder of the current month will be free.
If you achieve and maintain PCI DSS compliance using Global Fortress and pay the fees as they fall due, we may, at our sole and absolute discretion, waive our rights of recovery
from you (whether under this agreement or otherwise) following a Data Breach, up to an absolute maximum waiver of £25,000 in any 12 month period. Whether or not we waive our rights will be considered on a case by case basis in respect of each Data Breach.
Sign Up For Global Fortress Today
Call SecurityMetrics™ on
0844 800 3638*
or visit
www.globalfortress.co.uk.
When signing up please have the following to hand:
Your Merchant ID Number/s
All IP Address/es where card data is stored, processed or transmitted (which can be a website and/or an offi ce PC)
Details of any Payment Service Providers used
Authority to proceed (from the business owner if it’s not you)
*Lines are open Monday to Friday, 9am - 5pm. Calls may be monitored and or recorded. Any recording remains SecurityMetrics™ sole property
PCI DSS Compliance is mandated by the Card Schemes including Visa and MasterCard.
Global Fortress is not a guarantee of compliance but will help you on your journey. There may be specifi c actions you will be required to take in order to implement improved security processes or procedures. We will, of course, be happy to direct you to the appropriate resources who can provide assistance to help you with this.
Non-compliance Is Not Acceptable
Under our Card Processing Agreement, you are required to achieve and maintain PCI DSS compliance. We are now enforcing this requirement. If you don’t do this, we will charge you a monthly
non-compliance charge to cover the increased risks and costs associated with us supporting your business. We will advise when this applies to you.
Our monthly non-compliance charge will also apply to merchants who choose Global Fortress but fail to achieve compliance. This will be applied in addition to your normal monthly fee for Global Fortress.
So is your customer card data secure? If you are not PCI DSS compliant, it’s very unlikely!
The card payment industry has developed a minimum standard that must be adopted by all merchants who store, process or handle customer card data which will help to reduce these risks to a more acceptable level. This global standard is known as the Payment Card Industry Data Security Standard (PCI DSS). It is supported and enforced by the global Card Schemes, including Visa and MasterCard.
This standard has been enforced for larger merchants and all e-commerce merchants, resulting in a reduction in data breaches. However, criminals have now shifted focus to attack small businesses, especially where the Card is Not Present (CNP) at
the time of transaction i.e. online, mail and telephone order transactions.
This poses a very real risk to your business. If you process less than a million Visa and/ or MasterCard transactions every year, you are classifi ed by the Card Schemes as a level 3 and level 4 merchant. Global Fortress is the simplest route to PCI DSS compliance with us.
In order for you to become compliant you will need to complete a Self Assessment Questionnaire (SAQ). Depending on your business, you may also be required to have your systems inspected with a quarterly vulnerability scan. SecurityMetrics™ will advise you of the actions you will need to undertake when you sign up to Global Fortress.
02
The card payment industry is increasingly concerned about the
security of customer card data. Essentially, this is the personal,
sensitive, data stored on or in the card that is key to making
a transaction. All too often this is easily accessible once the
card has been accepted by a merchant. Fraudsters hack into
defenceless systems and steal unprotected data, which they then
use fraudulently. The proceeds of these crimes may be used to
fund other illegal activities. In the wrong hands, customer card
data is more valuable than cash!
The 12 key requirements are:
Install and maintain a fi rewall confi guration to protect customer card data
Do not use vendor-supplied defaults for system passwords and other security parameters
Protect stored cardholder data
Encrypt transmission of customer card data across open, public networks Use and regularly update anti-virus
software or programs
Develop and maintain secure systems and applications
Restrict access to customer card data by business need-to-know
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data
Track and monitor all access to network resources and customer card data Regularly test security systems and
processes
Maintain a policy that addresses information security for employees and contractors
With effect from 01 July 2012, Card Scheme rules require all merchants and service providers that use third-party provided (“off-the-shelf”) payment application software, must use software that is Payment Application Data Security Standard (PA-DSS) compliant. Your failure to comply will render any PCI DSS compliance invalid and make your PCI DSS annual renewal more complex after this date. Further information on PA-DSS and PCI DSS is available on the offi cial website
03
If the customer card data you process isn’t held safely and securely,
your data could be stolen!
Why Should You Care?
If this were to happen, theft of your customer card data could cost you:
Loss of business Loss of sales
Adverse reputational issues Bad publicity
Card Scheme fi nes – are at least £10,000 and are potentially unlimited. For example, one of our merchants was fi ned £100,000 as a result of a data breach
Costs of corrective measures include forensic investigation costs – which can be tens of thousands of pounds Signifi cant inconvenience
If you process card transactions, you are responsible for securing your customer card data and you are mandated by the Card Schemes to comply with PCI DSS.
Why SecurityMetrics™?
SecurityMetrics™ is a long established QSA with signifi cant expertise in achieving PCI DSS compliance with a proven history in customer service excellence. Among other things, SecurityMetrics™ provides:
Expert assistance in determining validation requirements
An easy-to-use online portal for quick and accurate compliance validation PCI DSS Frequently Asked Questions,
videos and tutorials
Technical support to assist with SAQ and scan results
PANscan™
Sign Up For Global Fortress Today
Call SecurityMetrics™ on
0844 800 3638*
or visit
www.globalfortress.co.uk. When signing up please have
the following to hand:
Your Merchant ID Number/s
All IP Address/es where card data is stored, processed or transmitted (which can be a website and/or an offi ce PC) Details of any Payment Service Providers used
Authority to proceed (from the business owner if it’s not you) *Lines are open Monday to Friday, 9am - 5pm. Calls may be monitored and or recorded. Any recording remains SecurityMetrics™ sole property
04
You don’t have to choose
Global Fortress
, but you must achieve and
maintain PCI DSS compliance. Essentially you have three options:
What Happens If I Don’t Choose Global Fortress?
Option 1: Through An Alternative QSA There are a number of QSAs who can help you. If you use one of these alternative QSAs, you must inform us and prove you have achieved and are maintaining compliance.
It is our responsibility to verify your compliance status and register you with Visa and/or MasterCard. Therefore please ensure you provide us with a copy of:
Your certifi cate of compliance (annually) and your scan results (quarterly) If you utilise a Third Party (other than our Secure ePayments/Global Iris™) and/or a Payment Service Provider (PSP), a copy of their certifi cate of compliance
You will not be compliant with the PCI DSS requirements until we have received and registered your compliance status with the Card Schemes.
If you prefer to achieve compliance through an alternative QSA, this will incur a monthly administration fee charged by us. This will be in addition to any fees charged to you by your alternative QSA.
Option 2: Self Assessment Questionnaire (SAQ) Only
Dependant on your individual circumstances, you may be able to achieve and maintain compliance by completing the appropriate SAQ annually.
You will have to satisfy yourself that you are compliant and you should note there are large penalties for breached merchants who claim to be compliant and aren’t. If you prefer to achieve compliance through a self completion of an SAQ, this will incur a monthly administration fee charged by us.
Option 3: Fail To Comply - Pay The Monthly Non-compliance Charge And Increase Your Risk Of Unlimited Fines
If you do not comply with PCI DSS, we
will apply a monthly non-compliance charge. We will advise when this applies to you.
The fact that you will not be compliant is worse than having to pay our non-compliant charges. It will mean that you are at a higher risk of being breached. In cases of persistent failure to comply with the PCI DSS, we may have to resort to cancelling your card processing facility.
Please send copies of your
completed documentation to
us at:
PCI DSS Compliance Programme
HSBC Merchant Services LLP 51 De Montfort Street LEICESTER LE1 7BB
05
Please read the enclosed Terms and Conditions regarding
Global
Fortress
and make sure you understand these before you sign up.
Terms And Conditions
Call SecurityMetrics™ on 0844 800 3638* or
visit www.globalfortress.co.uk.
*Lines are open Monday to Friday, 9am - 5pm. Calls may be monitored and or recorded. Any recording remains SecurityMetrics™ sole property
When you sign up for Global Fortress you will incur a monthly fee, invoiced in arrears. The current fees and charges are detailed in the literature enclosed in this brochure cover.
Sign Up For Global Fortress Today
Call SecurityMetrics™ on
0844 800 3638*
or visit
www.globalfortress.co.uk. When signing up please have
the following to hand:
Your Merchant ID Number/s
All IP Address/es where card data is stored, processed or transmitted (which can be a website and/or an offi ce PC) Details of any Payment Service Providers used
Authority to proceed (from the business owner if it’s not you) *Lines are open Monday to Friday, 9am - 5pm. Calls may be monitored and or recorded. Any recording remains SecurityMetrics™ sole property
A
C22150
HSBC Merchant Services LLP
51 De Montfort Street
Leicester
LE1 7BB
Tel 0845 702 3344
Textphone 0845 602 4818
www.globalpaymentsinc.com/UK
HSBC Merchant Services LLP is authorised by the Financial Services Authority under the Payment Services Regulations 2009 (504290) for the provision of payment services.
HSBC Merchant Services LLP is a limited liability partnership registered in England number OC337146. Registered Offi ce: 51 De Montfort Street, Leicester, LE1 7BB. The members are Global Payments U.K. Limited and Global Payments U.K. 2 Limited. Service of any documents relating to the business will be eff ective if served at the Registered Offi ce.
