We get lots of questions from merchants about PCI (Payment Card Industry Data Security Standards). So we’ve prepared a brief FAQ that should help answer many of these questions.
Q: What is PCI/DSS?
A: The Payment Card Industry (PCI) Data Security Standard details security requirements for members, merchants and service providers that store, process or transmit cardholder data. To demonstrate compliance with the PCI Data Security Standard, merchants and service providers may be required to validate and conduct a network security scan on a regular basis as defined by the PCI Security Standards Council.
The PCI Data Security Standard (PCI DSS) originally began as five different programs from the five credit card schemes. Each company’s intentions were roughly similar: to create an additional level of protection for consumers by ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data.
The Payment Card Industry Security Standards Council (PCI SSC) was formed as a neutral body to address conflicts among the credit card schemes in developing a standard. On Dec. 15 2004 the credit card schemes aligned their individual policies and released the Payment Card Industry Data Security Standard (PCI DSS).
First, a Self-Assessment Questionnaire, (SAQ), must be completed on an annual basis. During the Spring of 2008 a new SAQ was launched and was re-designed to make the questions more relevant to what merchants actually do. There are now four parts, and depending on which part best matches what a company does, that will determine the number of questions that will need to be answered – and whether or not quarterly vulnerability scanning is required. Companies will also need to make sure they attest to
the truthfulness and accuracy of their responses on the SAQ.
For those required to complete quarterly vulnerability scanning – it is an indispensable tool to be used in conjunction with a vulnerability management program. Scans help identify vulnerabilities and misconfigurations of Websites and IT infrastructures containing externally facing IP addresses.
Scan results provide valuable information that support efficient patch management and other security measures that improve protection against Internet hacking.
Q: Who has to comply?
A: If you are a merchant or service provider and accept credit cards you must validate PCI compliance at least annually. There is no way around this. Network Security Scans are required of all merchants and service providers with external-facing IP addresses that collect, process, or transmit payment account information. However, even if an entity does not offer Web-based transactions, there may be other services that make systems Internet accessible. Basic functions such as email and employee Internet access
may result in the Internet-accessibility of a company’s network. These seemingly insignificant paths to and from the Internet can provide unprotected pathways into merchant and service provider systems and can potentially expose cardholder data if not properly controlled.
Q: I’m a small merchant who only takes a handful of cards. So do I still need PCI.
A: Yes. This is a common misunderstanding with the standard is that small merchants handling only a few credit cards a day are exempt from compliance. If you are a merchant and are set up to take credit cards by any mechanism – then you need to be complaint.
Q: PCI only applies to e-commerce companies….right?
A: Wrong. PCI applies to every company that stores, processes or transmits cardholder information. In fact anyone who takes card present transactions that involve POS devices are typically more at risk than e-commerce solutions. Quite often these types of transactions involve storage of track data (which is forbidden under PCI). Compromise of this type of data may bring heavy fines and requests for compensation from the banks
involved.
Q: Can I just wait until my bank asks me to be compliant?
A: No The dates for merchants to be in compliance are long gone. YOU are responsible for making sure you are in compliance NOW. Waiting until the bank asks you could be very costly indeed.
Q: As a merchant, I did not sign anything saying I would be complaint; therefore, I don’t think I need to be.
A: The PCI standard forms part of the operating regulations that are the rules under which merchants are allowed to operate merchant accounts. The regulations signed when you open an account at the bank state that the VISA regulations have to be adhered to. Even if you have been in business for decades, PCI still applies if you store, process or transmit credit cards.
Q: As a merchant, don’t I have the right to store any data?
A: Many merchants believe that they own the customer and have a right to store all the data about that customer in order to help their business. Not only is this incorrect regarding PCI, it may also be a violation of State and Federal legislation regarding privacy. The PCI regulations specifically forbid storing of any of the following:
Unencrypted credit card number
CVV or CVV2
Pin blocks
PIN numbers
Track 1 or 2 data
Any of the above found in databases, log files, audit trails, backups etc. at a
merchant can result in serious consequences for the Merchant, especially if a
compromise has taken place.
Q: Which credit cards do PCI regulations apply to?
A: Compliance with Payment Card Industry data security standards is required by all card brands including Visa, MasterCard, American Express and Discover, and is required of all merchant types regardless of how transactions are processed.
Q: Why is my processor charging me a PCI Compliance Fee?
A: PCI compliance and testing is mandatory and not optional. We know that nobody likes to incur additional expenses, particurly during bad times. But unfortunately, data security fraud is very real, very serious, very dangerous, and very expensive. Banks, processors and merchants alike all benefit from enhanced data security, and all share the costs involved.
Q: How much should my processor charge me for PCI Compliance?
A: Charges vary from processor to processor, usually $75 to $125 per year. Some processors charge this fee annually, others monthly.
Q: Which merchants are exempt from PCI security charges and PCI regulations?
A: None.
Q: Is it possible to avoid processor PCI charges?
A: There is software from companies such as McAfee and others that sell software programs in which merchants can perform compliance audits themselves. If you can prove to your processor you have successfully used and passed these audit processes, they may waive or refund your fees. For questions, information, or to purchase such software, please email amspcs@juno.com for details.
Q: I do not want this service, nor do I want to purchase software.
A: Sorry, compliance with Payment Card Industry data security standards is required by all card brands including Visa, MasterCard and Discover and is required of all merchant types regardless of how transactions are processed. It also applies to all procesors. If you have a processor who claims they are not charging you for PCI compliance, that’s a very bad sign. That means you’re being gouged elsewhere.
