PCI Compliance Validation
Already Validated PCI Compliance?
Merchants who have validated PCI compliance should send a copy of the submitted Attestation of Compliance and Self-Assessment Questionnaire (SAQ) as well as passing vulnerability scanning documentation, if applicable, to PowerPay’s PCI Department. Please Contact the PowerPay PCI Compliance Team to let us know if you have validated. All merchants who have not submitted validation documentation will be enrolled in PCI TOOLKIT™ program with the exception of merchants who qualify as “dial up terminal” or “touch tone” only merchants. These merchants will be mailed a paper version of the appropriate Self Assessment Questionnaire for completion and return to PowerPay.
In order to make the required validation process simple and easy, PowerPay has partnered with PCI TOOLKIT™, an Internet-based program which will walk merchants through the Self-Assessment Questionnaire (SAQ), and also set up vulnerability scans for processing systems with Internet connectivity. PCI TOOLKIT™ is designed to help educate merchants on the steps that need to be taken to be PCI compliant. Additionally, if your business needs policies and procedures in place to become PCI compliant, PCI TOOLKIT™ will help you develop them using the correct language and detailing the precise instructions outlined by the PCI Security Standards Council. Please Contact the PowerPay PCI Compliance Team to enroll in this service.
Complete the Attestation of Compliance and Self-Assessment Questionnaire (SAQ) annually.
All merchants and service providers must fulfill this requirement. The Attestation of Compliance can be found at the beginning of the SAQ. You need to fill out the SAQ appropriate for your business model (see SAQ A-D below). Please take measures to fill out the questionnaire correctly. Submissions may be reviewed if merchants are compromised, risk rated, or randomly audited. The SAQ is especially important because it details how businesses should operate in order to keep payment card data secure.
SAQ A e-commerce or mail/telephone order merchants that do not accept credit cards face-to-face and instead outsource all payment functions. This includes e-commerce merchants who accept payments through a compliant gateway off their website, and never use a virtual terminal. These merchants never touch credit card data to process a payment. SAQ B Merchants that do not store any cardholder data and only use touchtone, imprint devices, or dial-up terminals with no internet connection. SAQ C-VT Merchants using only one method to process payments which is through a web-based virtual terminal on an isolated computer not connected to other locations or systems. Merchant must not store electronic cardholder data to qualify for this SAQ. This SAQ is not for merchants who use a VT along with a gateway off a website; this SAQ would never apply to e-commerce merchants. It is only for applicable merchants operating a MOTO or retail business. SAQ C Merchants that use payment application systems or terminals connected to the internet, and do not store any cardholder data. This includes merchants who use both a virtual terminal and a gateway off an e-commerce website to collect payments. SAQ D Merchants storing data electronically themselves, rather than using a compliant third party to store it for them for purposes such as recurring billing. All other merchants and service providers that do not fit descriptions listed for SAQ A, B, or C.
Perform vulnerability scans on a quarterly basis.
Vulnerability scans check all external facing IP-addresses if you use any systems with internet access to accept, handle, transmit, or store credit card data. It is critical that any abnormal findings be addressed immediately to meet the PCI DSS. Vulnerability scans must be performed by an Approved Scanning Vendor (ASV) qualified by the PCI Security Standards Council.
Enforce and maintain PCI compliance.
Merchants are responsible for creating, maintaining and enforcing internal policies and procedures to keep business operations PCI compliant. As new data security threats emerge, the PCI DSS will be updated. Merchants need to make any changes necessary to their business, including updating policies to remain PCI compliant under the most current standards.
Tips for Minimizing Your Validation Requirements
Do not store credit card data that you don’t absolutely need.
The level of data security risk goes up with the amount of data stored. Proof of receipt is not a good reason to store a full credit card number. Even if encrypted, stored credit card data puts you at a higher threat of a breach and makes your PCI compliance validation more complicated, time consuming and potentially more costly to complete. It is not permissible to store unencrypted card data or more than the first six and last four digits of a payment card number, and you may not store the security code on the back of a card under any circumstances. Paper receipts, while not stored electronically should be properly secured and disposed of in accordance with the terms of your Merchant Agreement.
Follow the PCI SSC’s Dos & Don’ts (pdf) guidelines for additional tips on payment card data storage.
Reduce the amount of cardholder data you handle.
Outsourcing to compliant service providers who can store, process, transmit, or host cardholder data on your behalf helps reduces your liability as a merchant. This also helps reduce the scope of your PCI compliance validation requirements, as well as associated costs.
*PowerPay does not endorse any links included on the website, and information is subject to change at any time. PowerPay believes this information to be valid and current, but cannot guarantee it as other entities such as PCI Security Standards Council, Payment Brands and others may change the information provided without notice.
Did you know?
What commonalities exist?
83% of victims were targets of opportunity
92% of attacks were not highly difficult (+7%)
76% of all data was compromised from servers
86% were discovered by a third party (+25%)
96% of breaches were avoidable through simple or intermediate controls
(Source: 2011 Data Breach Investigations Report, Verizon RISK Team & U.S. Secret Service and the Dutch High Tech Crime Unit)