Capita has consistently been first to market with appropriate fraud protection measures. These include:
• Managed Service products running on a certified PCI DSS Level 1 service. First accredited in 2007
• Hosted in Capita’s own dedicated data centres, among the first in Europe to receive PCI DSS ‘hosting provider’ certification
• Site-based products are compliant with the Payment Application Data Security Standard (PA-DSS), for which we were first accredited in 2009
• Card details are never stored on-site
• Payments are classed as ‘secure’. Therefore payments through Capita qualify for highly competitive card processing costs through having the following recommended fraud protection measures in place:
• Chip & PIN for cardholder present payments
• Card Security Code (CSC) for cardholder
not present (contact centre / internet /
automated telephone) payments
• 3D Secure (Verified by Visa /
MasterCard SecureCode) for internet payments.
• Compliance with PCI call recording requirements, which include the option to suppress call recording in line with requirement 3.2 of the PCI DSS. This requirement states systems should not store any sensitive authentication data, including card validation codes and values (such as the CSC), after authorisation
• Tokenisation ensures card details, once stored, are replaced by a token (an encrypted surrogate value) to be transferred between systems rather than the card details themselves. This is in line with requirement 3.4 of the PCI DSS
• Point-to-point encryption is the transmission of data within the card processing environment with no decryption of the data feasible at any point between the source and destination. Building upon our extensive experience in applying card encryption measures, Capita is working closely with device vendors and the PCI Security Standards Council (SSC) in order to ensure its solution is compliant with the forthcoming PCI SSC standard due later in 2012.