PCI Compliance
In an effort to secure cardholder data, the Card Associations have introduced PCI Compliance and is requesting that all Merchant Services Providers notify their Merchants of the PCI DSS Requirements. MSP's are additionally required to report their Merchants PCI Compliance status to the Card Associations.
Below are the answers to a few commonly asked questions regarding PCI DSS. If you have additional questions, we encourage you to email your questions to PCI@ppsbankcard.com. You will receive responses to your questions within one business day.
 |
What is PCI DSS?
The Payment Card Industry (PCI) Data Security Standard (DSS) is a set of requirements for enhancing payment account data security. These standards were developed by the PCI Security Standards Council, which was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa, Inc. to facilitate industry-wide adoption of consistent data security measures on a global basis. The standard aims to increase awareness and promote best practices in the handling of sensitive information as a means to minimizing identity theft and fraudulent transactions. |
Is PCI DSS new?No. The framework of the PCI data security standards has existed in different forms for some time now and continues to evolve. You may be more familiar with the payment brands' programs that promote the adoption of PCI DSS.
|
 |
 |
I only process a few hundred dollars a month. Does my merchant account still need to be PCI compliant? Yes, all merchants, whether small or large, are required to be PCI compliant. The payment brands have collectively mandated PCI DSS compliance for any and all organizations that process, store or transmit payment cardholder data. Inherent in having a merchant account is the ability to handle cardholder data. |
What are my PCI Requirements?Generally, Level 1 Merchants are those that process more than six million MasterCard or Visa transactions per year or any merchant who has experienced a breach. Level 1 Merchants are required to have a site inspection performed by a Qualified Security Assessor.
Level 2, 3 and 4 Merchants must complete a Self-Assessment Questionnaire (SAQ) and must submit the SAQ along with the Attestation (merchant's signature of fact) to their MSP. The SAQ responses help determine your PCI Compliance status. Merchants who use a Virtual Terminal, IP Terminal, payment software application, or have internet access on the same device used to transmit/process cardholder data must also receive Quarterly Scans.
Actual requirements to be considered a PCI Compliant merchant are outlined in the SAQ. If your responses show you to be non-compliant; you will be required to adjust your policies/procedures and retake the SAQ. If you do not understand the questions on the SAQ, it is important that you call your provider for clarification. Certify PCI Merchants can email PCI@ppsbankcard.com. |
|
 |
I already use a "PCI compliant" terminal/gateway. Doesn't that mean I am PCI compliant?No. Use of PCI compliant payment application is one aspect of the many PCI DSS requirements, which cover handling of sensitive data. Currently, the PCI DSS lists twelve requirements. These requirements are organized around the following principles:
|
Can I choose not to certify for PCI compliance?If you choose not to complete the Self-Assessment Questionnaire (and applicable network scans) you may overlook certain data security practices that minimize your risk of a security breach. In the event that your business is compromised, you may be subject to fines of up to $500,000 per payment brand. These fines would be in addition to the expenses and fraudulent transactions resulting from the breach.
In light of the importance that data security has to the payment processing industry and consumers at large, we, as your service provider, may also begin imposing a fee for each month that your account has not been validated as PCI compliant or in any given month your account is deemed non-compliant. Continued failure to validate compliance may result in termination of your merchant account. |
 |
 |
What is included in the PCI Compliance Validation Service Program & how do I enroll with PCI Toolkit?PCI Toolkit services include: assistance in determining which version of the Self-Assessment Questionnaire is appropriate for your business; administration of any applicable network scans; guidance on any necessary remediation efforts; and certification and validation of your account's compliance. You can enroll with PCI Toolkit by completing the online questionnaire once we've provided you with the proper login credentials. Our in-house PCI Rep will be happy to assist with any questions you may have during the process. |
How long is the PCI compliance certification valid?The PCI compliance certification is valid for one year from the date of issue. To maintain your compliance, you are required to complete the PSI DSS Self-Assessment Questionnaire annually and any applicable network scans on a quarterly basis. |
 |
|
|
Do I have to use CertifyPCI?No, there are more than 130 qualified assessors and approved scanning vendors. You are free to choose to certify with any vendor you like. However, if you choose to certify with another vendor, you will be responsible for paying the full cost of the PCI compliance analysis to that vendor. A list of approved vendors is available on the card association web site or a pcisecuritystandards.org. |
What if I have already been certified or choose to certify through another Qualified Security Assessor (QSA)/ Approved Scanning Vendor (ASV)?If you have already been PCI DSS certified or if you choose to use another QSA/ASV; please submit your certification documentation to us via fax at 630.396.3292. |
 |
 |  |
We will beat your current merchant provider or we will send you $500.
