fidelity payment services logo
Agent Login | Merchant Login | Careers | About Us

OTHER SERVICES

 Free Gift Cards
 ACH / Check 21
 Check Guarantee
 Cash In Advance
 Terminal Supply &
   Assurance Program
 PCI Compliance
 Chargeback Consulting
 Next Day Funding
 Online Reporting
 Fraud Protection
 Partnership For
   Charities

RESOURCES

 PCI Compliance
 Fraud & Chargeback
   Tips
 What are Merchant
   Services
 Glossary
 Partnership For
   Charities



Payment Card Industry Data Security Standard also known as PCI DSS was implemented by the card associations to protect cardholder data and prevent credit-card fraud. (PCI) compliance is no different than having a business license or tax ID, they are all required. All merchants are required to provide an annual attestation of compliance, which means that a Self-Assessment Questionnaire (SAQ) must be submitted and attested to yearly. In addition to the SAQ, merchants who process credit cards through an Internet connection may need a quarterly vulnerability scan. Watch the video and follow the links below to learn everything you need to know about PCI. Should you have any questions regarding PCI or any other payment processing issue, don't hesitate to give us a call at 1-888-847-2627.

Educational Links

PCI Quick Reference Guide
Payment Card Industry Security Standards Overview
PCI Glossary
Understanding the Intent of the Requirements
SAQ Instructions and Guidelines
Lifecycle Process for Changes to PCI DSS
PCI Data Storage Do's and Don'ts
Getting Started with PCI Data Security Standard
PCI DSS Wireless Guideline Information
Ten Common Myths of PCI DSS
Skimming Prevention
Video Introduction

PCI COMPLIANCE RESOURCE

Fidelity Payment Services will assist you in understanding and meeting the requirements needed to validate and maintain PCI compliance. Our easy-to-use solution and detailed level of support make achieving compliance less complicated. Our compliance program will provide you with access to:

- Self-Assessment Questionnaire (SAQ)
- Security Awareness Training
- Scanning (if applicable)

Your browser is not able to display this multimedia content.

Problems viewing videos? youtube.com

FAQ's

WHAT IS PCI?

The Payment Card Industry (PCI) Data Security Standard details security requirements for members, merchants and service providers that store, process or transmit cardholder data. To demonstrate compliance with the PCI Data Security Standard, merchants and service providers may be required to validate and conduct a network security scan on a regular basis as defined by the PCI Security Standards Council.

The PCI Data Security Standard (PCI DSS) originally began as five different programs from the five credit card schemes. Each company's intentions were roughly similar: to create an additional level of protection for consumers by ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data.

The Payment Card Industry Security Standards Council (PCI SSC) was formed as a neutral body to address conflicts among the credit card schemes in developing a standard. On Dec. 15 2004 the credit card schemes aligned their individual policies and released the Payment Card Industry Data Security Standard (PCI DSS).

First, a Self-Assessment Questionnaire must be completed on an annual basis. During the Spring of 2008 a new SAQ was launched and was re-designed to make the questions more relevant to what merchants actually do. There are now four parts, and depending on which part best matches what a company does, will determine the number of questions that will need to be answered - and whether or not quarterly vulnerability scanning is required. Companies will also need to make sure they attest to the truthfulness and accuracy of their responses on the SAQ.

For those required to complete quarterly vulnerability scanning - it is an indispensable tool to be used in conjunction with a vulnerability management program. Scans help identify vulnerabilities and misconfigurations of Websites and IT infrastructures containing externally facing IP addresses.

Scan results provide valuable information that support efficient patch management and other security measures that improve protection against Internet hacking.

WHO HAS TO COMPLY?

If you are a merchant or service provider and accept credit cards you must validate PCI compliance at least annually. There is no way around this. Network Security Scans are required of all merchants and service providers with external-facing IP addresses that collect, process or transmit payment account information. However, even if an entity does not offer Web-based transactions, there may be other services that make systems Internet accessible. Basic functions such as email and employee Internet access may result in the Internet-accessibility of a company's network. These seemingly insignificant paths to and from the Internet can provide unprotected pathways into merchant and service provider systems and can potentially expose cardholder data if not properly controlled.

WHAT IS AN APPROVED SCANNING VENDOR?

All PCI scans must be conducted by a third party compliant network security scanning vendor, selected from the list of approved vendors at www.pcisecuritystandards.org. All compliant scanning vendors are required to conduct scans in accordance with a defined set of procedures. These procedures dictate that the normal operation of the customer environment is not to be impacted and that the vendor should never penetrate or alter the customer environment.

WHAT ARE THE CERTIFICATION LEVELS AND WHAT DO THEY MEAN?

Information about merchant levels and service provider levels can be found at www.pcisecuritystandards.org.

HOW DOES THE PCI COMPLIANCE SERVICE HELP ME TO GET CERTIFIED?

Companies certified as a PCI security scanning vendors help merchants and their consultants achieve compliance with the PCI Data Security Standard. While each PCI compliance service varies, ideally they should provide on demand compliance testing and reporting service. Merchants should be able to run PCI compliance scans, complete the appropriate PCI Self-Assessment Questionnaire and submit compliance reports directly to acquiring banks.

HOW OFTEN DO I NEED TO SCAN?

Depending on your validation category, network security scans may be required every 90 days by an approved PCI scanning vendor. For more information, consult the payment brands or your acquiring bank.

WHO NEEDS TO COMPLETE THE SELF ASSESSMENT QUESTIONNAIRE?

Your acquiring bank can confirm, but typically all level 2, 3, and 4 merchants and service providers must complete a PCI Self-Assessment Questionnaire on an annual basis.

I'M A SMALL MERCHANT WHO ONLY TAKES A HANDFUL OF CARDS, SO I DON'T NEED PCI.

This is a common misunderstanding with the standard is that small merchants handling only a few credit cards a day are exempt from compliance. If you are a merchant and are set up to take credit cards by any mechanism - then you need to be complaint.

PCI ONLY APPLIES TO E-COMMERCE COMPANIES.

No, PCI applies to every company that stores, processes or transmits cardholder information. In fact anyone who takes card present transactions that involve POS devices are typically more at risk than e-commerce solutions. Quite often these types of transactions involve storage of track data (which is forbidden under PCI). Compromise of this type of data may bring heavy fines and requests for compensation from the banks involved.

YOU ONLY HAVE TO BE COMPLIANT WITH THE MAJORITY OF CRITERIA

The pass mark for PCI is 100%, so if you fail even one of the criteria, you are not in compliance with PCI. The standard is not meant to be something to strive for; it is essentially a floor, a basis for further security measures. Failing to achieve even one of the requirements, is failing to meet a basic standard for handling cardholder information. All companies that routinely handle this type of data should be aiming to exceed the standard. It's just good business.

I CAN JUST ANSWER "YES" TO ALL THE CRITERIA ON THE SELF-ASSESSMENT QUESTIONNAIRE.

The Self-Assessment Questionnaire is a mechanism for getting the information about the level of your compliance to your merchant bank or to Visa. The standard applies at all times. Just saying yes to the questions puts you at great risk. If a compromise took place and it was obvious that you were not and have never been compliant, the matter would be taken very seriously by VISA. You would be risking your whole business by answering "yes" to the questions, when there is no factual basis for the answers.

AS A MERCHANT, I DID NOT SIGN ANYTHING SAYING I WOULD BE COMPLIANT; THEREFORE, I DO NOT NEED TO BE.

The PCI standard forms part of the operating regulations that are the rules under which merchants are allowed to operate merchant accounts. The regulations signed when you open an account at the bank state that the VISA regulations have to be adhered to. Even if you have been in business for decades, PCI still applies if you store, process or transmit credit cards.

AS A MERCHANT, I'M ENTITLED TO STORE ANY DATA.

Many merchants believe that they own the customer and have a right to store all the data about that customer in order to help their business. Not only is this incorrect regarding PCI, it may also be a violation of State and Federal legislation regarding privacy. The PCI regulations specifically forbid storing of any of the following:

- Unencrypted credit card number
- CVV or CVV2
- Pin blocks
- PIN numbers
- Track 1 or 2 data

Any of the above found in databases, log files, audit trails, backups etc. at a merchant can result in serious consequences for the Merchant, especially if a compromise has taken place.


Got questions?
Give us a call
A professional Fidelity associate
looks forward to helping you
1-888-847-2627