PCI DSS is a set of security guidelines mandated by the major credit card associations (Visa, MasterCard, American Express and Discover) to secure the safe handling of credit card data in order to reduce credit card fraud and security breaches. Compliance with this standard is required of all merchants.
Chat with us if you need assistance.
To login to your merchant account or to become PCI compliant visit http://www.fidelitypayment.com/pci
Self-Assessment Questionnaire (SAQ):
All merchants are required to provide an annual attestation of compliance, which means that a Self-Assessment Questionnaire (SAQ) must be submitted and attested to yearly.
In addition to the SAQ, merchants who process credit cards through an Internet connection may need a quarterly vulnerability scan.
Every merchant must maintain PCI compliance and re-certify on an annual basis, quarterly or as otherwise required.
The SAQ (and vulnerability scan if applicable) must be satisfactorily completed and submitted in order to receive your certification.
It is important to remember that the Card Associations implemented PCI Compliance in order to protect YOU.
Being compliant will ensure that your customer card data is safe and not susceptible to hackers and fraud, which can cost you heavy fines and lawsuits.
If you need any help throughout the compliance process, please don't hesitate to call one of our customer service representatives.
WHAT IS PCI?
The Payment Card Industry (PCI) Data Security Standard details security requirements for members, merchants and service providers that store, process or transmit cardholder data. To demonstrate compliance with the PCI Data Security Standard, merchants and service providers may be required to validate and conduct a network security scan on a regular basis as defined by the PCI Security Standards Council.
The PCI Data Security Standard (PCI DSS) originally began as five different programs from the five credit card schemes. Each company's intentions were roughly similar: to create an additional level of protection for consumers by ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data.
The Payment Card Industry Security Standards Council (PCI SSC) was formed as a neutral body to address conflicts among the credit card schemes in developing a standard. On Dec. 15 2004 the credit card schemes aligned their individual policies and released the Payment Card Industry Data Security Standard (PCI DSS).
First, a Self-Assessment Questionnaire must be completed on an annual basis. During the Fall of 2010 a new SAQ was launched and was re-designed to make the questions more relevant to what merchants actually do. There are now five parts, and depending on which part best matches what a company does, will determine the number of questions that will need to be answered - and whether or not quarterly vulnerability scanning is required. Companies will also need to make sure they attest to the truthfulness and accuracy of their responses on the SAQ.
For those required to complete quarterly vulnerability scanning - it is an indispensable tool to be used in conjunction with a vulnerability management program. Scans help identify vulnerabilities and misconfigurations of Websites and IT infrastructures containing externally facing IP addresses.
Scan results provide valuable information that support efficient patch management and other security measures that improve protection against Internet hacking.
WHO HAS TO COMPLY?
If you are a merchant or service provider and accept credit cards you must validate PCI compliance at least annually. There is no way around this. Network Security Scans are required of all merchants and service providers with external-facing IP addresses that collect, process or transmit payment account information. However, even if an entity does not offer Web-based transactions, there may be other services that make systems Internet accessible. Basic functions such as email and employee Internet access may result in the Internet-accessibility of a company's network. These seemingly insignificant paths to and from the Internet can provide unprotected pathways into merchant and service provider systems and can potentially expose cardholder data if not properly controlled.
WHAT IS AN APPROVED SCANNING VENDOR?
All PCI scans must be conducted by a third party compliant network security scanning vendor, selected from the list of approved vendors at www.pcisecuritystandards.org. All compliant scanning vendors are required to conduct scans in accordance with a defined set of procedures. These procedures dictate that the normal operation of the customer environment is not to be impacted and that the vendor should never penetrate or alter the customer environment.
WHAT ARE THE CERTIFICATION LEVELS AND WHAT DO THEY MEAN?
Information about merchant levels and service provider levels can be found at www.pcisecuritystandards.org.
HOW DOES THE PCI COMPLIANCE SERVICE HELP ME TO GET CERTIFIED?
Companies certified as a PCI security scanning vendors help merchants and their consultants achieve compliance with the PCI Data Security Standard. While each PCI compliance service varies, ideally they should provide on demand compliance testing and reporting service. Merchants should be able to run PCI compliance scans, complete the appropriate PCI Self-Assessment Questionnaire and submit compliance reports directly to acquiring banks.
HOW OFTEN DO I NEED TO SCAN?
Depending on your validation category, network security scans may be required every 90 days by an approved PCI scanning vendor. For more information, consult the payment brands or your acquiring bank.
WHO NEEDS TO COMPLETE THE SELF ASSESSMENT QUESTIONNAIRE?
Your acquiring bank can confirm, but typically all level 2, 3, and 4 merchants and service providers must complete a PCI Self-Assessment Questionnaire on an annual basis.
I'M A SMALL MERCHANT WHO ONLY TAKES A HANDFUL OF CARDS, DO I NEED TO BE PCI COMPLIANT?>
Yes. This is a common misunderstanding with the standard is that small merchants handling only a few credit cards a day are exempt from compliance. If you are a merchant and are set up to take credit cards by any mechanism - then you need to be complaint.
DOES PCI APPLY ONLY TO E-COMMERCE COMPANIES?
No, PCI applies to every company that stores, processes or transmits cardholder information. In fact anyone who takes card present transactions that involve POS devices are typically more at risk than e-commerce solutions. Quite often these types of transactions involve storage of track data (which is forbidden under PCI). Compromise of this type of data may bring heavy fines and requests for compensation from the banks involved.
DO YOU ONLY HAVE TO BE COMPLIANT WITH THE MAJORITY OF CRITERIA?
No. The pass mark for PCI is 100%, so if you fail even one of the criteria, you are not in compliance with PCI. The standard is not meant to be something to strive for; it is essentially a floor, a basis for further security measures. Failing to achieve even one of the requirements, is failing to meet a basic standard for handling cardholder information. All companies that routinely handle this type of data should be aiming to exceed the standard. It's just good business.
I CAN JUST ANSWER "YES" TO ALL THE CRITERIA ON THE SELF-ASSESSMENT QUESTIONNAIRE. DOES THAT MEAN I AM PCI COMPLIANT?
No. The Self-Assessment Questionnaire is a mechanism for getting the information about the level of your compliance to your merchant bank or to Visa. The standard applies at all times. Just saying yes to the questions puts you at great risk. If a compromise took place and it was obvious that you were not and have never been compliant, the matter would be taken very seriously by VISA. You would be risking your whole business by answering "yes" to the questions, when there is no factual basis for the answers.
AS A MERCHANT, I DID NOT SIGN ANYTHING SAYING I WOULD BE COMPLIANT; DOES THAT MEAN I DO NOT NEED TO BE?
No. The PCI standard forms part of the operating regulations that are the rules under which merchants are allowed to operate merchant accounts. The regulations signed when you open an account at the bank state that the VISA regulations have to be adhered to. Even if you have been in business for decades, PCI still applies if you store, process or transmit credit cards.
AS A MERCHANT, AM I ENTITLED TO STORE ANY DATA?
No. Many merchants believe that they own the customer and have a right to store all the data about that customer in order to help their business. Not only is this incorrect regarding PCI, it may also be a violation of State and Federal legislation regarding privacy. The PCI regulations specifically forbid storing of any of the following:
- Unencrypted credit card number
- CVV or CVV2
- Pin blocks
- PIN numbers
- Track 1 or 2 data
Any of the above found in databases, log files, audit trails, backups etc. at a merchant can result in serious consequences for the Merchant, especially if a compromise has taken place.
- Next Day Funding
- Chargeback Prevention
- Fraud Protection
- PCI Compliance
- Glossary of Terms
- Lower Rates Guaranteed
- What are Merchant Services?
- Frequently Asked Questions
- Marketing Materials
- User Guides and Tutorials
- Recent changes in SNAP/EBT
- EMV Information Program
- Daylight Savings Time
- The Do’s and Don’ts of Processing Credit Cards