PCI compliance (UK) if you're not accepting cards on your site

What’s the current situation in the UK with regards to banks and making their customers take PCI compliance questionnaires and scans.

A while ago I had a client whose bank made him do both a questionnaire and a scan. The scan was done as though they were accepting cards on their site but it was just Sage Pay Form. It’s reared its ugly head again, different bank and scanner this time but the client is panicking as they’ve failed a scan. I’ve looked at it and looks like they’ve assumed, again, that they are taking cards on their site.

Am I right in saying a bank can make them do a self-assessment questionnaire but a scan is pointless if you aren’t accepting or storing card information? They aren’t storing anything sensitive, i.e. no card info.

This used to be the case, does it still ring true? Am I also right in saying someone needs to be PCI compliant if they have a card machine in their office/shop but this has nothing to do with the website and is between the client and their bank? that is, PCI compliance is not just about websites.

There is different levels of PCI compliance, have you checked what level they are checked against?

If they accept credit card payments on their website, and the customer enter it on their website, and then they in the background forward the information to their merchant, they need to be PCI compliant on level 4.

If they just use payment button similar to Paypal, and send the customer over to the merchants site to pay, they do not normally need to be PCI compliant (unless of course the merchant require it to offer them an account).

Since you mention they filled out a PCI compliance questionnaire and had a scan made, it sounds like level 4 (at higher levels, there is more into these checks).

It is quite common that these scans fails due to how servers are patched for security vulnerabilities, as the server might still report an older version number even if it use the latest updates. We have to send over documentation for some of our clients several times a year due to this.

The recommended approach is just to look at which of the scans failed, to get the reason, and then talk with the hosting company (or the company managing the servers). Then if it is a false positive as I mentioned above, they will provide a update log, that then should be sent over to the PCI scanner company.

Thanks for the detailed reply.

This is the one. My point is the companies that do the scans seem to automatically assume you are taking cards.

Thanks though, you confirmed what I was thinking.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.