What is PCI DSS Compliance?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment.

The PCI DSS is administered and managed by the PCI Security Standards Council (SCC) www.pcisecuritystandards.org, an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.

Regardless of size or number of transactions, all merchants that accept, transmit or store any cardholder data must comply with the PCI DSS.

Merchants that do not comply with PCI DSS may be subject to fines, card replacement costs, costly forensic audits, brand damage, etc., in the event a breach may occur.

Who has to be PCI DSS Compliant?

The requirements of the PCI DSS apply to ALL organizations or merchants, regardless of size or number of transactions, that accept, transmit or store any cardholder data.

What happens if I do not comply?

Merchants that do not comply with the PCI DSS may be subject to fines, card replacement cost, costly forensic audits or brand damage should a data breach occur. Failure to complete your PCI registration annually, will result in a $19.95 monthly non-compliance fee billed to your merchant account. Completing your PCI registration and getting certified will eliminate you from being billed this fee.

How much will this cost me?

It is important to understand Payment Card Industry Data Security Standard (PCI DSS) compliance is something that all merchants who accept credit cards are responsible for regardless of who your processor may be. Unfortunately there are costs associated with becoming PCI DSS compliant. Nationwide is pleased to be able to offer our PCI program through Comply Guard Networks at a very competitive price. Effective November 30th, all merchants will be billed an annual PCI Support Fee of $79. This fee covers the overall cost for Comply Guard Networks to support our merchants in both becoming and maintaining their annual PCI DSS compliance as well as any required network scanning if applicable.

Why is it that all service providers are not requiring that merchants participate in a PCI DSS Support Program at this time?

While validation is not yet required, PCI DSS Compliance is mandatory. Many processors have already implemented or are in the process of implementing these types of programs. It is expected that validation will be required industry wide in the near future. Merchants should also consider why they would want to process with a company that does not take their data security seriously. PCI DSS programs are designed to help protect cardholder’s information and assist merchants avoid fines and risk potentially negative exposure. With the recent compromises in data security, it is essential that merchants understand the value that these programs provide.

Will a PCI DSS Support Fee apply to each location?

If determined that upon completion of the SAQ with Comply Guard Networks that each of your locations are handled the same way in regards to PCI DSS Compliance, and that each location is not using an IP terminal/software configuration it is possible that a single fee may apply. Based upon information provided by the merchant’s SAQ, individual locations may be responsible for a PCI DSS Support Fee.

What defines a multi-location merchant?

Multi-location merchants are defined as businesses that share the same Federal Tax ID.

Why haven’t I heard from the card brands regarding PCI DSS Compliance?

The individual card brands are requiring that the Merchant Banks/Processors implement individual PCI DSS Compliance Program to educate merchants on compliance and ensure that they meet PCI DSS Compliance requirements. They have required that all Merchant Banks/Processors have a plan in place to ensure that all of their merchants obtain and maintain compliance with the standard. Most of the breaches you hear of in the news are large retailers, but many people do not realize that over 80% of compromises occur at small merchant locations.

How do I get started?

1. The first step is to click on the link ” Get into Compliance” and answer a Self-Assessment Questionnaire (SAQ); this will tell us how you process credit cards. Your answers will determine what additional steps are necessary if any.

  • As part of the SAQ process, all merchants must confirm that a written security policy is in place (PCS/Comply Guard Networks merchant portal will provide you with the required security policy for your business).
  • Merchants who come into contact with credit card data at any point in their daily routine are also required to have a Security Awareness Training program in place that informs their employees of the importance of data security (merchants can access a Security Awareness Training program in the PCS/Comply Guard Networks merchant portal).

2. If you electronically store cardholder information or if your processing systems have any internet connectivity, you may be required to complete a passing vulnerability scan for each IP address you own. Comply Guard Networks is an approved and Certified Scanning Vendor (ASV) and will provide such scans as part of the program. Note scanning does not apply to all merchants.

3. Finally, each merchant must submit the SAQ, evidence of a passing scan (if applicable), and the Attestation of Compliance, along with any other requested documentation, to your acquirer. PCS/Comply Guard Networks will submit this information on your behalf as part of the program.

Can I switch to a new processor who doesn’t require compliance?

All Acquirers are responsible for ensuring that all of their merchants comply with the PCI DSS requirements, therefore, all processors are required by the card brands to implement a PCI DSS Compliance Program. Connecting to a competing processor will NOT avoid the need to get into PCI DSS Compliance nor the fees involved. We have partnered with ControlScan based on the fact that they provide the best value for our merchants while providing full support to help you get into compliance.

How long is this going to take?

The time it takes to achieve compliance is dependent upon how you process credit card data. If a vulnerability scan is not required, achieving compliance can be completed in a short amount of time. This of course depends on your availability to work with Comply Guard Networks in completing the SAQ. In an effort to make the process go faster, PCS will provide toll-free support to assist you.

My shopping cart/payment gateway/processing is out-sourced, why is this my responsibility? If I am breached, wouldn’t it be their fault?

Merely using a third-party software company does not exclude you from PCI DSS Compliance. It may cut down on their risk exposure and consequently reduce the effort to validate compliance. However, it does not mean you can ignore the PCI DSS. All merchants are required to complete the SAQ annually.

Getting into compliance also addresses internal security practices and procedures behind handling credit card data. One of the leading causes of data breaches is due to employee error or carelessness when handling sensitive information. This is why proper policies should be in place and a formal Security Awareness Training should be conducted. Your business must protect cardholder data when you receive it. You must also ensure that your software provider’s application and card payment terminals comply with respective PCI DSS standards and do not store sensitive cardholder data. You should request a certificate of compliance annually from such providers to ensure they are compliant. PCS can assist you with this.

My payment application is already compliant, what else do I need to do?

Utilizing a compliant software payment application is a best practice towards achieving compliance, but PCI DSS Compliance also covers data security, physical security and network security, therefore, you are still required to complete an annual PCI DSS Compliance Review via the PCS/ Comply Guard Networks merchant portal.

If I only accept credit cards over the phone, does PCI still apply to me?

Yes. All businesses that store, process or transmit payment cardholder data must be PCI DSS Compliant.

What is a network security scan?

A network security scan involves an automated tool that checks a merchant or service provider’s systems for vulnerabilities. The tool will conduct a non-intrusive scan to remotely review networks and Web applications based on the external-facing Internet protocol (IP) addresses provided by the merchant or service provider.

The scan will identify vulnerabilities in operating systems, services, and devices that could be used by hackers to target the company’s private network. As provided by an Approved Scanning Vendors (ASV’s) such as Comply Guard Networks the tool will not require the merchant or service provider to install any software on their systems, and no denial-of-service attacks will be performed.

Do I need vulnerability scanning to validate compliance?

If you electronically store cardholder data post authorization or if your processing systems have any internet connectivity, a quarterly scan by a PCI SSC Approved Scanning Vendor (ASV) is required.

How often do I have to scan?

Every 90 days (once per quarter). Scans must be conducted by a PCI SSC Approved Scanning Vendor (ASV). Comply Guard Networks is a PCI Approved Scanning Vendor and will provide such reporting as needed on your behalf as part of the program.

I am a merchant that requires a vulnerability scanning. I am not technical; therefore, I cannot make changes to my system. What should I do?

Once you have completed your PCI DSS Registration, you may call Comply Guard Networks toll-free support number as they will provide guidance in helping you understand the vulnerabilities found on your scan report, if any. Comply Guard Networks will make recommendations on how to correct the issue(s), and arrange additional scans if needed.

If I’m running a business from my home, am I a serious target for hackers?

Yes, home users are arguably the most vulnerable simply because they are usually not well protected. Adopting a ‘path of least resistance’ model, intruders will often zero-in on home users – often exploiting their ‘always on’ broadband connections and typical home use programs such as chat, Internet games and P2P files sharing applications. Comply Guard Networks scanning service allows home users and network administrators alike to identify and fix any security vulnerabilities on their desktop or laptop computers.

Where can I find the PCI Data Security Standards (PCI DSS)?

The Standard can be found on the PCI SSC’s Website.