Maintaining compliance with PCI DSS 4.0 rules can seem daunting at first. In this article, we will detail some of the most relevant changes introduced by the new framework and share best practices to make this as easy as possible for you.
Disclaimer
This document should be used only for guidance purposes, and should not be taken as definitive advice. We invite you to consult a PCI DSS Qualified Security Assessor (QSA) for clarification.
Online payments
As a general recommendation, you can maintain PCI compliance by:
- Using one of Mollie's recommended payment integrations to securely transmit payment information directly to Mollie.
- Ensuring your payment pages are secured with Transport Layer Security (TLS) and using HTTPS.
There are multiple other requirements that are part of the PCI DSS framework.
Please note that Mollie can’t give you any kind of definite advice for your own PCI compliance, as we do not have all the details about your setup. As there is no one size fits all PCI compliance advice, If you are doing card data storage/ processing, you might have potentially applicable PCI requirements. Depending on your integration and setup, you would be responsible to comply with the applicable PCI DSS requirements.
Offline payments
Mollie's customers who use POS devices also have some responsibilities in ensuring the security of their systems and protecting both the terminal hardware and the sensitive data processed through them.
Accept and install Software Update Pushed to the Terminals
Mollie expects Merchants to accept software updates and vulnerability patches when they are pushed to the terminals, and not to unnecessarily postpone these updates.
Network Security
You should ensure that your network infrastructure is secured with firewalls and intrusion detection systems (if applicable). Additionally, you are responsible for securing your integration systems with Mollie to protect them from tampering.
Physical Security Measures
You should implement physical security measures to protect POS devices from theft, tampering, or unauthorised access. This may include installing security cameras, using lockers, and restricting access to areas where POS devices are located.
Employee Training
You should provide regular security training to your employees who handle and use POS devices. Training should cover topics such as phishing, skimming, and substitution awareness, as outlined in the guidelines linked below.
Verify the Identity of Third-Party Persons or Remote Connection Requests
Before granting access to modify or troubleshoot your devices, you must first verify the identity of any third-party persons (claiming to be repair or maintenance personnel) who either show up in person at your place of business or attempt to remotely connect with you or your terminal online.
Maintain an Up-to-Date List of Devices
When you receive your POS device from Mollie, check your merchant dashboard or invoice to validate that you have received the correct device before using it. You can keep track of your devices in your own inventory, such as a spreadsheet, or use Mollie’s merchant dashboard.
Periodic Device Inspection
As required by PCI DSS, you should periodically inspect your POS devices to ensure they are safeguarded against tampering and unauthorised substitution.
We have prepared a Device inspection sample checklist to make the periodic device inspection easier for you. Feel free to download this document using the link below: