What is PCI compliance?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store ortransmit credit card information maintain a secure environment and prevent credit card fraud. The PCI DSS is administered and managed by the PCI SSC (www.pcisecuritystandards.org), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.). Essentially any merchant that has a Merchant ID (MID) is required to meet PCI compliance requirements.

Who is ControlScan?
ControlScan is an Approved Scanning Vendor certified by the Payment Card Industry (PCI), and specializes in PCI compliance and security solutions for small and medium sized businesses. We have partnered with ControlScan to provide your business with a comprehensive set of PCI compliance tools and the support necessary to validate your business’ PCI compliance.

Who has to be PCI Compliant? Do I have to do this?
PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data.

What happens if I do not comply?
Merchants that do not comply with PCI DSS may be subject to fines, card replacement costs, costly forensic audits, brand damage, etc., should a breach event occur. Many acquiring banks are issuing fines for merchants who do not comply with PCI. For a little upfront effort and cost to comply with PCI, you greatly help reduce your risk from facing these extremely unpleasant and costly consequences.

Why haven’t I heard anything from the card brands regarding PCI compliance?
The individual card brands are requiring that the Merchant Banks/Processors implement individual PCI compliance program to educate merchants on compliance and ensure that they meet PCI compliance requirements. They have required that all Merchant Banks/Processors have a plan in place to ensure that all of their merchants obtain and maintain compliance with the standard. Most of the breaches you hear of in the news are large retailers, but many people do not realize that over 80% of compromises occur at small merchant locations.

What are the penalties for noncompliance?
The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The card brands will most likely pass this fine on downstream to the Merchant Acquirer until it eventually hits the merchant.

How do I get started?
The first step is to answer a Self Assessment Questionnaire (SAQ); this will tell us how you process credit cards. Your answers will determine what additional steps are necessary if any.

As part of the SAQ process, all merchants must confirm that a written security policy is in place (ControlScan’s merchant portal will provide you with the required security policy for your business).

Merchants who come into contact with credit card data at any point in their daily routine are also required to have a Security Awareness Training program in place that informs their employees of the importance of data security (merchants can access a Security Awareness Training program in the merchant portal).

Second, some merchants are required to complete and obtain evidence of a passing vulnerability scan conducted by an Approved Scanning Vendor (ASV). Note scanning does not apply to all merchants. If you electronically store cardholder information or if your processing systems have any internet connectivity.

Finally, each merchant must submit the SAQ, evidence of a passing scan (if applicable), and the Attestation of Compliance, along with any other requested documentation, to your acquirer. ControlScan will submit this information on your behalf.

If I only do the SAQ once a year and scan once a quarter, why am I being charged monthly?
Most banks have broken down the annual/quarterly cost for validating PCI compliance into monthly installments so that they price is easier to digest.

Can I switch to a new processor who doesn’t require compliance?
All Acquirers are responsible for ensuring that all of their merchants comply with the PCI Data Security Standard (DSS) requirements, therefore, all processors are required by the card brands to implement a PCI compliance program. We have partnered with ControlScan based on the fact that they provide the best value for our merchants and provide full support in helping you in the compliance process.

How long is this going to take?
The time it takes to achieve compliance is dependent upon how you process credit card data. If a vulnerability scan is not required, achieving compliance can be completed in a short amount of time- this of course depends on your availability to work ControlScan in completing the SAQ.

My shopping cart/payment gateway/processing is outsourced, why is this my responsibility? If I am breached, wouldn’t it be their fault?
Merely using a third-party company does not exclude a company from PCI compliance. It may cut down on your risk exposure and consequently reduce the effort to validate compliance. However, it does not mean you are exempt from PCI. All merchants are required to complete the SAQ annually at a minimum. It also addresses internal security practices and procedures behind handling credit card data. One of the leading causes of data breaches is due to employee error or carelessness when handling sensitive information- this is why proper policies should be in place and a formal Security Awareness Training should be conducted. Your business must protect cardholder data when you receive it, and process charge backs and refunds. You must also ensure that providers’ applications and card payment terminals comply with respective PCI standards and do not store sensitive cardholder data. You should request a certificate of compliance annually from providers.

My payment application is already compliant- what else do I need to do?
Utilizing a compliant payment application is a best practice towards achieving compliance, but PCI compliance also covers data security, physical security and network security.

Can I just download a form from the web and fill it out?
It is extremely difficult to complete the standard PCI Self Assessment Questionnaire without assistance- it was written in a very technical language. We have partnered with ControlScan to assist you in the compliance process and offer support to you as you are completing the SAQ. Many of the questions in the SAQ require that you have a written Security Policy in place and a formal Security Awareness Training in place. Without a resource to assist in building the required Security Policy and conduct the formal training, this would be a very time consuming and costly task to complete.

If I only accept credit cards over the phone, does PCI still apply to me?
Yes. All business that store, process or transmit payment cardholder data must be PCI Compliant.

What is a network security scan?
A network security scan involves an automated tool that checks a merchant or service provider’s systems for vulnerabilities. The tool will conduct a non-intrusive scan to remotely review networks and Web applications based on the external-facing Internet protocol (IP) addresses provided by the merchant or service provider. The scan will identify vulnerabilities in operating systems, services, and devices that could be used by hackers to target the company’s private network. As provided by an Approved Scanning Vendors (ASV’s) such as ControlScan the tool will not require the merchant or service provider to install any software on their systems, and no denial-of-service attacks will be performed. Note, typically only merchants with external facing IP address are required to have passing quarterly scans to validate PCI compliance.

Do I need vulnerability scanning to validate compliance?
If you electronically store cardholder data post authorization or if your processing systems have any internet connectivity, a quarterly scan by a PCI SSC Approved Scanning Vendor (ASV) is required.

How often do I have to scan?
Every 90 days/once per quarter you are required to submit a passing scan. Merchants and service providers should submit compliance documentation (successful scan reports) according to the timetable determined by their acquirer. Scans must be conducted by a PCI SSC Approved Scanning Vendor (ASV). ControlScan is a PCI Approved Scanning Vendor.

I am a merchant that requires vulnerability scanning. I am not technical, therefore, I cannot make changes to my system, what should I do?
Call ControlScan as they will provide guidance in helping you understand the vulnerabilities found on your scan report, if any. ControlScan will make recommendations on how to correct the issue(s), and arrange additional scans if needed.

If I’m running a business from my home, am I a serious target for hackers?
Yes, home users are arguably the most vulnerable simply because they are usually not well protected. Adopting a ‘path of least resistance’ model, intruders will often zero-in on home users – often exploiting their ‘always on’ broadband connections and typical home use programs such as chat, Internet games and P2P files sharing applications. ControlScan’s scanning service allows home users and network administrators alike to identify and fix any security vulnerabilities on their desktop or laptop computers.

Where can I find the PCI Data Security Standards (PCI DSS)?
The Standard can be found on the PCI SSC’s Website:
https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml