Frequently Asked Questions
Questions Regarding General PCI Compliance
Payment Card Industry (PCI) compliance refers to a set of standards created to help protect payment card data from exposure that could lead to financial loss. The area of PCI compliance which applies to merchants and service providers is called the PCI Data Security Standard (PCI DSS). The PCI DSS consists of requirements developed by the PCI Security Standards Council which was founded by the major Payment Brands. The goal of these requirements is to implement consistent data security procedures across the payment card industry. Validating PCI compliance is a requirement that the Payment Brands have put in place as a proactive measure to address data security needs.
PCI compliance standards have existed for years. ALL merchants, regardless of what payment processor they use, are in fact required to comply with the PCI DSS and this is required as part of the Terms and Conditions of entering into a merchant agreement. We are offering a new online validation solution through PCI TOOLKIT™ to help increase our merchants' awareness and assist in individual compliance efforts.
Becoming PCI compliant and maintaining that status will help you reduce threats to your business and your customers. Any merchant or service provider (i.e. payment gateway, shopping cart, web hosting company, etc.) that accepts, handles, stores, or transmits credit card information must validate PCI compliance each year. The validation process will help educate you about what steps to take in order to make your business PCI compliant.
PCI compliance requirements were put in place specifically to help protect merchants from a data breach, but they do not guarantee protection. While PCI compliance does not absolutely guarantee 100% protection against a breach, being PCI compliant does absolutely increase data security and helps protect businesses from easily avoidable threats. As technology and new data security threats develop, it is important to stay up to date on PCI compliance requirements and make sure you make any changes necessary in order to remain compliant under the most current set of standards.
Questions Regarding PCI Compliance Validation
To satisfy PCI compliance validation requirements, merchants must fill out an Attestation of Compliance and Self Assessment Questionnaire (SAQ) annually and perform quarterly vulnerability scans of their Internet-facing systems, if they have them. Some changes, such as policy development or Internet security upgrades, may be required in order to become PCI compliant. Using PCI TOOLKIT™ will assist merchants in accomplishing both requirements. Merchants using a dial up terminal only with no Internet connectivity and those that outsource all payment functions may simply complete the appropriate version of the SAQ for their business type and submit the SAQ to PowerPay. Documentation must be submitted to PowerPay’s PCI Compliance Team to complete validation requirements. All merchants who have not submitted validation documentation will be enrolled in PCI TOOLKIT™ program with the exception of merchants who qualify as "dial up terminal" or "touch tone" only merchants. These merchants will be mailed a paper version of the appropriate Self Assessment Questionnaire for completion and return to PowerPay.
PowerPay’s PCI Department can help explain the validation requirements and process. Please Contact the PowerPay PCI Compliance Team and we will be glad to assist you with any questions you may have.
If you need help while using the PCI TOOLKIT™ please email firstname.lastname@example.org and they will be glad to answer questions regarding the Self Assessment Questionnaire and vulnerability scanning.
PowerPay will be assessing a fee of $10/month for the online validation service. There will also be a billing option to pay at a discounted rate of $100 annually. Merchants that qualify for online validation will receive a letter notifying them of enrollment prior to being billed any fees.
Using PCI TOOLKIT™ is optional, however validating PCI compliance is not. You may complete validation on your own by filling out and submitting the Self-Assessment Questionnaire (SAQ) appropriate for your business type to PowerPay, and if applicable, passing vulnerability scan documentation as well. Vulnerability scans must be performed by an Approved Scanning Vendor (ASV) qualified by the PCI Security Standards Council. Documentation must be submitted to PowerPay’s PCI Compliance Team to complete validation requirements.
Merchants who do not validate could eventually be charged fees as noted on their merchant agreements. Not being PCI compliant increases your chances of undergoing a data breach, which has significant repercussions and could cost you your business. You may be fined anywhere from $10,000 to $500,000 or more per breach. Incidents currently lead to a minimum of $12,000 in forensic investigation and legal fees. Merchants can be liable for chargeback fees, costs to cover fraudulent purchases, reissuance fees at $5-25 per compromised card, and possibly paying to supply security monitoring of all compromised accounts. You also face the possibility of having your ability to accept credit cards revoked all together. You are responsible for making your business PCI compliant to help reduce these threats to your business. PowerPay’s goal is to help merchants understand what steps to take to be sure you are PCI compliant and to provide a way to easily and efficiently validate that PCI compliance requirements are being met.
PCI compliance has become an increasingly important focus as the number of data breaches and instances of theft continue to go up. The longer a merchant is unable to validate PCI compliance, the longer that merchant may be potentially putting business at a higher risk. Non-compliance could result in fines, penalties, liability issues, and damage to business operations and reputation. The sooner you can meet the PCI DSS, the better.
If you are using PCI TOOLKIT™, you will be prompted to answer questions that lead you to the correct SAQ for your business type. In using the PCI Toolkit, you will complete the Attestation of Compliance and Self-Assessment Questionnaire (SAQ)—it will instruct you on the meaning of each of the questions, and will provide help and term definitions. You may find instructions and the questionnaires by visiting the PCI Security Standards Council website. The SAQ must be filled out completely in order to validate PCI compliance, and submissions may be reviewed if merchants are compromised, risk rated, or randomly audited.
Quarterly vulnerability scans help ensure the security of credit card data which is passed over or accessible through the Internet by checking your network and any web applications or infrastructures with external facing Internet Protocol (IP) addresses for holes where unauthorized users could compromise payment card data. Unlike virus scans, vulnerability scans check all points where credit card information could be accessed and all of the network paths where this data could be compromised. Scans performed by PCI TOOLKIT™ are set up to be automatic and don’t require you to install additional software. Merchants or third party service providers that use the Internet to accept, transmit, or store credit card data need to use PCI TOOLKIT™ or a vendor noted on the PCI Security Standards Council website’s list of Approved Scanning Vendors (ASVs) to set up the required scans.
Even merchants that use a compliant gateway, shopping cart, etc. may still have computers or other equipment with Internet connectivity subject to access by malicious individuals. If you don’t outsource all elements of payment processing and you have systems with Internet access which are being used to accept payments, you do need to set up quarterly vulnerability scans. Even if you primarily handle payments through a third service provider, but on occasion enter a payment into your computer over the phone or in person, you must be sure your computer is secure by having a vulnerability scan performed.
At this point, scanning cannot be performed on mobile devices: merchants accessing their virtual terminal via their mobile device or merchants using a mobile device payment application. However, validation is still required. Merchants using PCI TOOLKIT™ should contact PCI TOOLKIT™ Support for assistance with validating. Please refer to the PCI Security Standards Council website for future updates on data security specific to mobile device processing.
Third parties which are contracted by merchants to store, process, transmit, or host payment card information are required to validate PCI compliance. Please contact our PCI Compliance Team for information specific to service provider PCI Compliance validation.
I don’t know anything about my Internet connection set up, so I’m not sure about vulnerability scans. Where may I find out more information?
Merchants can set up vulnerability scans easily by using PCI TOOLKIT™ or contacting an Approved Scanning Vendor (ASV). Working with third party service providers that have verified PCI compliance helps ensure data security. You may wish to contact your local Internet Service Provider (ISP) or the business which sold you your computer for a recommendation about a local contact that can answer general Internet connectivity questions, or help with putting the right Internet security in place in order to keep payment card data secure.
Merchants need to work to continue meeting PCI compliance standards over time. The minimum validation requirements state that the Self-Assessment Questionnaire (SAQ) must be submitted annually and vulnerability scans must be performed quarterly. However, to ensure PCI compliance, the SAQ should be filled out and vulnerability scans should be run any time there is a significant change to business operations or network systems. Being PCI compliant is an ongoing process and the standards can be expected to change as new data security threats develop.
Questions Regarding Already Existing PCI Compliant and Validated Merchants
Yes, you need to submit your completed Self-Assessment Questionnaire (SAQ) and documentation reflecting passing vulnerability scans performed by an Approved Scanning Vendor (ASV) qualified by the PCI Security Standards Council to PowerPay’s PCI Compliance Department. Please Contact the PowerPay PCI Compliance Team to let us know if you have validated.
You should also work to maintain PCI compliance following the standards outlined by the PCI SSC. The requirements change as data security threats evolve, and merchants need to make an ongoing effort to make any changes necessary to meet the most current set of standards.
If my business model changes or we change the way we process and/or store payment card data, do I need to complete validation again?
You may increase the vulnerability of your business and should please Contact PowerPay PCI Compliance to discuss these changes and any potential new validation requirements.
Will I incur additional costs if my business model changes or we change the way we process and/or store payment card data?
As far as PCI compliance validation is concerned, those businesses that require vulnerability scans do have costs above those that outsource all card data payment functions or do not store any payment card data. However, PowerPay does not charge any additional PCI compliance validation fees just for changes.
*PowerPay does not endorse any links included on the website, and information is subject to change at any time. PowerPay believes this information to be valid and current, but cannot guarantee it as other entities such as PCI Security Standards Council, Payment Brands and others may change the information provided without notice.
Did you know?
The cost of cyber crime costs US organizations more than $3.8 million dollars a year.
The cost of non-compliance is 2.65 times higher than the cost of compliance. 12% of consumers care enough about privacy to take action or suffer an inconvenience.
(Source: Ponemon Institute)