• Home
• Products & Services
• Processing Solutions
  • Overview
  • Retail Solutions
  • MOTO Solutions
  • B2B Solutions
  • eCommerce Solutions
  • Petroleum Solutions
  • Restaurant Solutions
• Partners
  • Financial Institutions
  • Associations
• PCI Compliance
  • PCI Compliance Made Easy
  • PCI for Merchants
  • PCI for Financial Institutions
  • Breach Protection Insurance
  • PCI FAQ's
  • Scanning FAQ's
• About Us
  • The BASYS Team
  • Our CEO
  • Our Background
  • Our Core Values
  • FAQ's
• Contact Us

 

What is the PCI DSS? Who defines this standard?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of comprehensive requirements for enhancing payment account data security in order to reduce credit card data theft and fraud. It applies to all merchants that take credit and debit cards, regardless of size or transaction volume, as well as any business involved in the storage, processing, or transmission of cardholder data. The PCI DSS was developed by the founding payment brands of the PCI Security Standards Council (American Express®, Discover Financial Services®, JCB International, MasterCard Worldwide® and Visa Incorporated®) to help facilitate the global adoption of consistent data security measures. The PCI DSS includes requirements for security management, policies, procedures, network architecture, software design and other measures to proactively protect customer account data. PCI DSS compliance does not guarantee that a security breach will never occur, but it does greatly minimize the chance of a successful breach. If your business is validated as compliant at the time of a breach, the payment networks may give you safe harbor from fines.

 

 

Where can I get more information on the actual published PCI DSS, or on the individual credit card brands’ security programs?

The full PCI DSS is managed by the PCI Security Standards Council and can be downloaded here:

• PCI Security Standards Council

• Visa Cardholder Information Security Program (CISP)

• MasterCard Site Data Protection (SDP) Program

• Discover Information Security and Compliance (DISC) Program

• American Express Data Security Operating Policy (DSOP)

Who is required to comply, and what are the validation requirements?

All merchants, no matter how they process credit card transactions, are required to be in compliance with the PCI DSS. Compliance requirements vary based on the following levels:

 

Merchant Definition	Criteria		Onsite Review	Self Assessment	Network Security Scan
Level 1	Any merchant processing in excess of six million card brand transactions a year Any merchant that has lost data due to a security breach, compromise or hack		Required annually	Not required	Required quarterly
Level 2*	Any merchant processing between one and six million card transactions a year		Not required	Required annually	Required quarterly
Level 3*	Any e-commerce merchant processing between 20,000 and one million card brand transactions a year		Not required	Required annually	Required quarterly
Level 4	Any merchant not level 1, 2 or 3		Not required	May be required annually	May be required quarterly

 

Why haven’t I heard anything from the card brands regarding PCI compliance?

The individual card brands are requiring that the Merchant Banks/Processors implement individual PCI compliance programs to educate merchants on compliance and ensure that they meet PCI compliance requirements. They have required that all Merchant Banks/Processors have a plan in place for merchants to obtain and maintain compliance with the standard. Most of the breaches you hear of in the news are large retailers, but many people do not realize that over 80% of compromises occur at small merchant locations.

 

How do I get started?

The first step is to answer a Self Assessment Questionnaire (SAQ); this will tell us how you process credit cards. Your answers will determine what additional steps are necessary if any.

• As part of the SAQ process, all merchants must confirm that a written security policy is in place.

• Merchants who come into contact with credit card data at any point in their daily routine are also required to have a Security Awareness Training program in place that informs their employees of the importance of data security.

Second, some merchants are required to complete and obtain evidence of a passing vulnerability scan conducted by an Approved Scanning Vendor (ASV). Scanning does not apply to all merchants. You only require a scan if you electronically store cardholder information or if your processing systems have any internet connectivity. Finally, each merchant must submit the SAQ, evidence of a passing scan (if applicable), and the Attestation of Compliance, along with any other requested documentation, to your acquirer.

 

How long is this going to take?

The time it takes to achieve compliance is dependent upon how you process credit card data. If a vulnerability scan is not required, achieving compliance can be completed in a short amount of time.

 

Can I just download a form from the web and fill it out?

It is extremely difficult to complete the standard PCI Self Assessment Questionnaire without assistance – it was written in a very technical language. BASYS processing has a knowledgeable and friendly PCI Compliance Staff to assist you in completing the questionnaire. They are available as a resource to you to not only become PCI compliant, but assist you in building a required security policy and security awareness training.

 

Will I need to upgrade my equipment, software or networks to become PCI DSS Compliant?

In order to become compliant, you may be required to upgrade your equipment or software to an approved version. You may also need to address vulnerabilities within your networks. You will need to contact BASYS Processing to discuss options available and costs associated with an upgrade.

 

How is an IP-based point-of-sale (POS) environment defined?

The POS environment is one in which a transaction takes place at a merchant location (for example, a retail store, restaurant, hotel property, gas station or supermarket). An IP-based POS environment is one in which transactions are stored, processed or transmitted on IP-based systems, or systems communicating via the internet.

 

How is transaction volume that determines a merchant’s compliance level measured?

The number of transactions will be determined based on the gross number of Visa, MasterCard and Discover Network transactions processed by a merchant outlet or a chain of stores. In those cases where a corporation owns several chains, each chain will qualify independently.

 

Can my compliance requirements change?

Yes, as your transaction volume changes, and as card association (such as Visa, MasterCard and Discover) rules change, your compliance requirements may change. It is your responsibility to be aware of the data security requirements that currently apply to you.

 

What if I change the way I process transactions including storage or transmission or cardholder data, do I have to recertify my compliance?

Yes. Changes to your payment processes or environment may increase your vulnerability to a security breach and may require recertification. Please contact BASYS as soon as possible to discuss the changes and next steps.

 

If I only accept the credit cards over the phone, does PCI still apply to me?

Yes. All businesses that store, process or transmit payment cardholder data must be PCI Compliant.

 

How is cardholder data defined?

Cardholder data is any personally identifiable data associated with a cardholder. This could be an account number, expiration date, name, address or Social Security number. The account number is the critical component that makes the PCI DSS applicable. All personally identifiable information associated with the cardholder that is stored, processed, or transmitted is also considered cardholder data. However, PCI DSS applies even if the only data stored, processed or transmitted is account numbers.

 

When is it acceptable to store magnetic stripe data?

It is never acceptable for acquirers, merchants or service providers to retain magnetic stripe data, including the card verification value or code (CVV2/CVC). The Visa, MasterCard and Discover Network operating regulations prohibit storage of the contents of the magnetic stripe data. The CVV2/CVC is a three-digit code located on the back of a card, inside the signature panel area. The three-digit code helps merchants ensure that the card is in the owner's possession.

 

What if my business does not comply with PCI DSS?

According to the Payment Networks, the penalties and fines for failure to comply with requirements or to rectify a security issue can be severe. These fines range from $10,000 to over $500,000 per incident. If a security breach occurs in your environment, you will be liable for the cost of the required forensic investigations, as well as covering the costs of fraudulent purchases, and the costs of re-issuing the stolen cards. Beyond the direct fines, your business may also lose your credit card acceptance privileges, at least for a period of time. Furthermore, you may also experience a loss of customer confidence as customers discover your business is not doing as much as others to protect their private information.

 

What is a network security scan?

A network security scan involves an automated tool that checks a merchant or service provider's system for vulnerabilities. The tool will conduct a nonintrusive scan to remotely review networks and web applications based on the external-facing IP addresses provided by the merchant or service provider.

The scan will identify vulnerabilities in operating systems, services and devices that could be used by hackers to target the company's network—private or public (for example, the Internet). As provided by the qualified scan vendor, the tool will not require the merchant or service provider to install any software on their systems. No denial-of-service attacks will be performed.

 

Is there a cost to using a qualified security assessor (QSA) or approved scanning vendor (ASV)?

Yes, there is a cost to using a QSA or ASV to ensure compliance. The specific cost will vary depending on your level, the number of IP addresses to be scanned, the frequency of the scans and the chosen scan vendor.

 

If I only do the SAQ once a year and scan once a quarter, why am I being charged monthly?

Most banks will bill you annually for validating PCI compliance however we have made the decision to break this fee into smaller monthly installments so that it is easier to track on your monthly budget.

 

Can I switch to a new processor who doesn’t require compliance?

All acquirers are responsible for ensuring that all of their merchants comply with the PCI Data Security Standard (DSS) requirements, therefore, all processors are required by the card brands to implement a PCI compliance program.

 

How can I find a list of approved security assessors and scanning vendors?

A list of approved QSAs and ASVs can be found on the PCI SSC.

 

I use a PCI DSS compliant terminal/gateway. Why do I need to certify I am PCI DSS compliant?

The use of a terminal/payment application/gateway that is Payment Application-Data Security Standard (PA-DSS) certified by the PCI Security Standards Council is only one of many components that are evaluated in the PCI DSS compliance assessment.

 

I currently use a PCI Compliant (and validated) Service Provider. Why do I need to certify I am PCI DSS compliant?

How you utilize the validated Service Provider determines the PCI DSS requirements and SAQ that you must complete. However, if you utilize a validated Service Provider and process card transactions from your merchant environment, you are required to complete the SAQ and quarterly scan of your external-facing IP network environment.

 

My shopping cart/payment gateway/processing is outsourced, why is this my responsibility? If I am breached, wouldn’t it be their fault?

Merely using a third-party company does not exclude a company from PCI compliance. It may cut down on your risk exposure and consequently reduce the effort to validate compliance. However, it does not mean you are exempt from PCI. All merchants are required to complete the SAQ annually at a minimum. It also addresses internal security practices and procedures behind handling credit card data. One of the leading causes of data breaches is due to employee error or carelessness when handling sensitive information – this is why proper policies should be in place and a formal Security Awareness Training should be conducted. Your business must protect cardholder data when you receive it, and process charge backs and refunds. You must also ensure that providers’ applications and card payment terminals comply with respective PCI standards and do not store sensitive cardholder data. You should request a certificate of compliance annually from providers.

 

If I’m running a business from my home, am I a serious target for hackers?

Yes, home users are arguably the most vulnerable simply because they are usually not well protected. Adopting a ‘path of least resistance’ model, intruders will often zero-in on home users – often exploiting their ‘always on’ broadband connections and typical home use programs such as chat, Internet games and P2P files sharing applications.

 

What should I do if I suspect a breach has occurred and cardholder data may have been compromised?

In the event of a security incident, immediately contact your BASYS Merchant Specialist at 800-386-0711. For step-by-step guidelines to address a security incident, visit Visa to review the guide, "What To Do If Compromised."

 

Who can I speak to at BASYS if I have questions?

Please contact a BASYS PCI Compliance Specialist at 800-386-0711.

Call Us: 800-386-0711

8450 Nieman Road, Lenexa, KS 66214

Fax: 913-888-5522

Email: info@BasysPro.com

Home | Products & Services | Partners | About Us | Contact Us

Copyright © 2012 BASYS Processing, Inc. All Rights Reserved.