PCI DSS compliance

What PCI DSS means, to you and to us.

What is PCI DSS?
PCI DSS is a set of standards and procedures set up by the major card providers such as Mastercard and Visa, which must be followed by merchants and all others who transmit, store, process and dispose of credit and debit card data. PCI DSS stands for Payment Card Industry Data Security Standards, designed to reduce card fraud.

What does PCI DSS mean to you?
It is designed to allow you to use your card with confidence and security, whether online, over the phone, or in a shop. Merchant compliance should reassure you that your card data will not be stolen nor left carelessly lying about, or even thrown in the bin without being shredded securely or incinerated - or left on an insecure computer.

What does PCI DSS mean to us?
To achieve compliance we follow very secure procedures at all stages with your card data; it must be encrypted at all times, from entry onto online order forms, during transmission over the internet, or if temporarily stored on any computer. Access to your data is restricted to authorised personnel only, it must be stored securely while needed, then paper copies destroyed by shredding or incineration when no longer needed. We are required to store your details and merchant receipt (no CSC) for at least 18 months in case of chargeback. Our terminal uses AVS (Automated Verification Service) to check your security code (CSC) and address details. We never take payment without a valid CSC, and only ignore an address warning if we checked otherwise. Your security code (CVV / CSC) is obliterated as soon as your card is debited.

What are and were the target dates for PCI DSS compliance by merchants?
The date for PCI DSS compliance was 31st December 2008, we believe we were compliant then. We have taken cards online since 1998 and had no security compromises. Our Merchant Services provider (was Bank of Scotland, is now Streamline/Worldpay through FSB), required us to register PCI DSS compliance by 31st March 2010.

Has Elmbronze Ltd (trading as Totally Herby of Scotland) formally registered PCI DSS compliance?
Yes, first in Dec 2009. Our PCI DSS (and Data Protection) controller is a family member, with 28 years in DP/IT up to year 2000, in banks and financials, and IBM as well as manufacturing. Your card data needs to be just as securely handled by a family business, as a large one. Compliance lasts a year before it has to be renewed, but can be revoked at any time by the acquiring merchant bank. We review security constantly.

Please also visit our privacy page.