Page 1 of 1

FAQ 411: Do I need to be PCI compliant to use Worldpay?

PostPosted: July 8th, 2013, 2:09 pm
by Support
We've teamed up with Worldpay to allow you to process credit/debit card payments direct from ClinicOffice. Please see here for more information :-
http://www.pioneersoftware.co.uk/co-worldpay

However, one question that we're often asked is...

Do I need be "PCI Compliant"?

If you ONLY use the "virtual terminal" in ClinicOffice to process payments and you do NOT have a physical card machine, our recommendation would be to complete a PCI Compliance "SELF ASSESSMENT QUESTIONNAIRE" (known as a SAQ) and ensure that you comply with it.

Please note that this COSTS NOTHING and you don't even have to send the form off to anyone, however if you were ever accused of card theft or of processing unauthorised transactions, then being able to demonstrate that you had complied with PCI guidelines would be very valuable.

Here is a link to the Self-Assessment Questionnaire's on the PCI Security Standards Council website :-
https://www.pcisecuritystandards.org/pc ... assessment

With regard to completing a PCI Compliance Self Assessment Questionnaire, here are the key points :-

    - Card data is not stored or processed by ClinicOffice
    - Card data is stored securely and processed securely by Worldpay
    - Worldpay are Level 1 PCI Compliant (this is the highest possible level of PCI compliance)
    - ClinicOffice uses a Worldpay MAIL ORDER/TELEPHONE ORDER" (MOTO) gateway, which means all transactions are considered to be "CUSTOMER NOT PRESENT"... even if the customer is physically there and hands over their card to you (yes, this does sound completely counter-intuitive!)

Q. Which Self Assessment Questionnaire (SAQ) do I need to complete?

Confusing isn't it? There is an "Instructions and Guidelines Document" which (allegedly) clears things up and helps you decide :-
https://www.pcisecuritystandards.org/do ... s-v3_2.pdf

Given the facts (listed in the above section) about how ClinicOffice operates with a Worldpay MOTO account, Worldpay advised us that SAQ A would be appropriate for ClinicOffice customers using the "virtual terminal".


Q. What if I DO want to have a physical card machine?

Firstly, please note that it’s not possible for an external piece of software like ClinicOffice to integrate with a physical card machine. This means that payments processed through the card machine will NOT show up in ClinicOffice - which kind of defeats the purpose!

Also, if you do have a physical machine, then PCI Compliance requirements get turned up a notch. It would be best to speak to your card machine provider to ask them what they would recommend. Also, it would probably be a good idea to enrol in a "PCI Compliance Support Programme" to ensure that you can attest to ongoing compliance. Worldpay offer such a programme called SaferPayments :-
http://www.worldpay.com/uk/sme/saferpayments


We hope this information has been helpful. For further information, please see the Official PCI Security Standards Council website :-
https://www.pcisecuritystandards.org

*** DISCLAIMER ***
The above information is offered for guidance only and is based on the information we ourselves have been given from Worldpay. PCI DSS compliance is (in our opinion) absurdly complex and prone to regular changes and updates. Ultimately it's your responsibility to determine (a) whether PCI DSS compliance applies to your company (b) if so, to what level and (c) to make sure you comply.