eMerchant Solution Payment Processing

Payment Card Industry (PCI) Data Security Standard (DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. PCI DSS requirements are set forth and managed by the PCI Standards Security Council, an independent body created by the major payment card brands (Visa, MasterCard, American Express, Discover, and JCB). The PCI DSS requirements are available at: https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml.

Do you need to be PCI compliant?

PCI applies to ALL organizations (merchants, service providers, and payment gateways) regardless of size or number of transactions processed that accept, transmit, or store any cardholder data. Depending on number of transactions processed annually and how the transactions are accepted, merchant may be required to commit to greater levels of compliance assessment and scrutiny.

Example: Under the Visa Cardholder Information Security Program, merchants processing, storing, or transmitting under 20,000 Visa e-commerce transactions annually would be recommended to complete an annual Self-Assessment Questionnaire and perform quarterly network scans. Merchants who process over 20,000 to 1 million Visa e-commerce transactions annually are required to complete an annual SAQ, perform quarterly network scans, and complete an Attestation of Compliance Form which is submitted to their acquirers.

How can using TotalTransact make you PCI compliant?

TotalTransact™ is a suite of payment acceptance and initiation services tailored for merchants and business who accept eCheck, Card, and/or Remote Deposit Capture (RDC). TotalTransact is composed of three products: eCheck, Card, and RDC. TotalTransact Card provides merchants with the ability to accept and process credit and debit card payments where the card information is mailed-in, via the telephone, obtained face-to-face, and from the Internet. Card present and card not present transactions are both supported.

Applications that integrate with TotalTransact Card can initiate both one-time payments and set up recurring card payments. Applications can also obtain reporting information concerning the status of a payment or payments.

TotalTransact™ is PCI compliant. By using TotalTransact or integrating with TotalTransact, the merchant can take advantage of TotalTransact to be PCI compliant. The following table shows how the merchant can integrate with TotalTransact and how each integration options enables the merchant to be compliant with PCI DSS.

NOTE: Merchants who handle mailed-in, face-to-face, or telephone-based card payments must not store the cardholder data. If the merchant does store the cardholder data outside the TotalTransact system, the merchant will be required to assess its compliance obligations under the PCI Data Security Standard. This applies particularly to merchants that use HTTPS Post, Virtual Terminal and Web Services.

Integration Option Description Process Compliance Storage Compliance Transmittal Compliance
Online Payment Page Accept payments online by redirecting the payer to TotalTransact online payment page Cardholder data is processed by TotalTransact. Once payment has been processed, the customer is redirected back to the merchant’s website. Cardholder data is never stored on the merchant’s website. TotalTransact maintains the payer’s payment information. All cardholder data is collected and handled between payer and TotalTransact.
Virtual Terminal Process card present face-to-face or card not present mailed-in and telephone payments through a TotalTransact web application. Cardholder data is processed by TotalTransact systems. Cardholder data should not be stored at the merchant’s location. TotalTransact maintains the payer’s payment information. All cardholder data is collected and handled between payer and TotalTransact.
HTTPS POST Process payments by having the payer directly send the payment information to TotalTransact via HTTPS POST. Cardholder data is processed by TotalTransact. Once payment has been processed, the customer is redirected back to the merchant’s website. Cardholder data should not be stored at the merchant’s location. TotalTransact maintains the payer’s payment information. All cardholder data is collected and handled between payer and TotalTransact.
Web

Services

 Process payments by having the payer directly send the payment information to TotalTransact via WebServices. Cardholder data is processed by TotalTransact. Once payment has been processed, the customer is redirected back to the merchant’s website. Cardholder data should not be stored at the merchant’s location. TotalTransact maintains the payer’s payment information. All cardholder data is collected and handled between payer and TotalTransact.
User Interface

(UI) Reports

 Access Web reports that summarize the payments processed via TotalTransact. Elided cardholder data is provided to the merchant with a merchant-provided reference number to link the payment to the merchant’s A/R system. The merchant may obtain the payment information with the elided cardholder data. TotalTransact stores and maintains the cardholder information for subsequent use. No cardholder data is provided the merchant.
Batch Reports Receive batch reports that summarize payments processed via TotalTransact for updating Elided cardholder data is provided to the merchant with a merchant-provided reference number to link the payment to the merchant’s A/R system. The merchant may obtain the payment information with the elided cardholder data. TotalTransact stores and maintains the cardholder information for subsequent use. No cardholder data is provided the merchant.