PCI Compliance

PCI Compliance

START Merchant Services offers completely FREE PCI Compliance solution provided you do not need to do quarterly scans of your Website.

What is PCI compliance?

Payment Card Industry (PCI) compliance refers to a set of standards created to help protect payment card data from exposure that could lead to financial loss. The area of PCI compliance which applies to merchants and service providers is called the PCI Data Security Standard (PCI DSS). The PCI DSS consists of requirements developed by the PCI Security Standards Council which was founded by the major Payment Brands. The goal of these requirements is to implement consistent data security procedures across the payment card industry. Validating PCI compliance is a requirement that the Payment Brands have put in place as a proactive measure to address data security needs.


High Profile Breaches:

  • May 30, 2011: Honda Canada has advised its customers of a data breach involving unauthorized access of 280,000 customers.
  • May 21, 2011: Lockheed Martin just confirmed that it was hacked.
  • April 26, 2011: The Sony Qriocity and PlayStation Network entertainment services lost more than 100 million accounts.
  • In 2008, Heartland Payment Systems lost a record 130 million credit card records from their merchants’ customers.
    • January 2010: Heartland agreed to pay approximately $60 million to Visa and $41 million to MasterCard.
  • In 2007, 94 million credit and debit card records was lost by the TJX retail chain; TJX agreed to pay damages of $24 million to MasterCard and $41 million to Visa.

 

How come I haven’t heard about PCI compliance or validation before?

PCI compliance standards have existed for years. ALL merchants, regardless of what payment processor they use, are in fact required to comply with the PCI DSS and this is required as part of the Terms and Conditions of entering into a merchant agreement.

What does this mean for my business?
Becoming PCI compliant and maintaining that status will help you reduce threats to your business and your customers. Any merchant or service provider (i.e. payment gateway, shopping cart, web hosting company, etc.) that accepts, handles, stores, or transmits credit card information must validate PCI compliance each year. The validation process will help educate you about what steps to take in order to make your business PCI compliant.

Does validating PCI compliance guarantee a data breach will not occur?
PCI compliance requirements were put in place specifically to help protect merchants from a data breach, but they do not guarantee protection. While PCI compliance does not absolutely guarantee 100% protection against a breach, being PCI compliant does absolutely increase data security and helps protect businesses from easily avoidable threats. As technology and new data security threats develop, it is important to stay up to date on PCI compliance requirements and make sure you make any changes necessary in order to remain compliant under the most current set of standards.

Questions Regarding PCI Compliance Validation

What do I need to do to validate PCI compliance?
To satisfy PCI compliance validation requirements, merchants must fill out an Attestation of Compliance and Self Assessment Questionnaire (SAQ) annually and perform quarterly vulnerability scans of their Internet-facing systems, if they have them. Some changes, such as policy development or Internet security upgrades, may be required in order to become PCI compliant.

Who can help me with my validation requirements?
START Merchant Services‘s PCI Department can help explain the validation requirements and process.

What is the cost of PCI Compliance? 
START Merchant Services offers a completely FREE PCI Compliance solution provided you do not need to do quarterly scans of your Website.
If you require quarterly scans, based on your exact business type, we will be assessing a fee of $10/month for the online validation service. There will also be a billing option to pay at a discounted rate of $100 annually. Merchants that qualify for online validation will receive a letter notifying them of enrollment prior to being billed any fees.

What are the consequences of not validating PCI compliance?

Not being PCI compliant increases your chances of undergoing a data breach, which has significant repercussions and could cost you your business. You may be fined anywhere from $10,000 to $500,000 or more per breach. Incidents currently lead to a minimum of $12,000 in forensic investigation and legal fees. Merchants can be liable for chargeback fees, costs to cover fraudulent
purchases, reissuance fees at $5-25 per compromised card, and possibly paying to supply security monitoring of all compromised accounts. You also face the possibility of having your ability to accept credit cards revoked all together. You are responsible for making your business PCI compliant to help reduce these threats to your business. START Merchant Services‘s goal is to help merchants understand what steps to take to be sure you are PCI compliant and to provide a way to easily and efficiently validate that PCI compliance requirements are being met.

When should I validate PCI compliance by?
PCI compliance has become an increasingly important focus as the number of data breaches and instances of theft continue to go up. The longer a merchant is unable to validate PCI compliance, the longer that merchant may be potentially putting business at a higher risk. Non-compliance could result in fines, penalties, liability issues, and damage to business operations and reputation. The sooner you can meet the PCI DSS, the better.

I use a compliant gateway (shopping cart, etc.), so do I need vulnerability scans?

Even merchants that use a compliant gateway like Authorize.Net, or shopping cart, etc. may still have computers or other equipment with Internet connectivity subject to access by malicious individuals. If you don’t outsource all elements of payment processing and you have systems with Internet access which are being used to accept payments, you do need to set up quarterly vulnerability scans. Even if
you primarily handle payments through a third service provider, but on occasion enter a payment into your computer over the phone or in person, you must be sure your computer is secure by having a vulnerability scan performed.

What comes after validation?

Merchants need to work to continue meeting PCI compliance standards over time. The minimum validation requirements state that the Self-Assessment Questionnaire (SAQ) must be submitted annually and vulnerability scans must be performed quarterly. However, to ensure PCI compliance, the SAQ should be filled out and vulnerability scans should be run any time there is a significant change to business operations or network systems. Being PCI compliant is an ongoing process and the standards can be expected to change as new data security threats develop.

Questions Regarding Already Existing PCI Compliant and Validated Merchants

Do I need to do anything if I’ve already validated PCI compliance?
Yes, you need to submit your completed Self-Assessment Questionnaire (SAQ) and documentation reflecting passing vulnerability scans performed by an Approved Scanning Vendor (ASV) qualified by the PCI Security Standards Council to START Merchant Services‘s PCI Compliance Department. Please Contact the START Merchant Services to let us know if you have validated.

You should also work to maintain PCI compliance following the standards outlined by the PCI SSC. The requirements change as data security threats evolve, and merchants need to make an ongoing effort to make any changes necessary to meet the most current set of standards.

If my business model changes or we change the way we process and/or store payment card data, do I need to complete validation again?
You may increase the vulnerability of your business and should please Contact START Merchant Services PCI Compliance to discuss these changes and any potential new validation requirements.

Will I incur additional costs if my business model changes or we change the way we process and/or store payment card data?
As far as PCI compliance validation is concerned, those businesses that require vulnerability scans do have costs above those that outsource all card data payment functions or do not store any payment card data. However, START Merchant Services does not charge any additional PCI compliance validation fees just for changes.