Payment Card Industry (PCI) compliance refers to a set of standards created to help protect payment card data from exposure that could lead to financial loss. The area of PCI compliance which applies to merchants and service providers is called the PCI Data Security Standard (PCI DSS). The PCI DSS consists of requirements developed by the PCI Security Standards Council which was founded by the major Payment Brands. The goal of these requirements is to implement consistent data security procedures across the payment card industry. Validating PCI compliance is a requirement that the Payment Brands have put in place as a proactive measure to address data security needs.
PCI compliance standards have existed for years. ALL merchants, regardless of what payment processor they use, are in fact required to comply with the PCI DSS and this is required as part of the Terms and Conditions of entering into a merchant agreement. We are offering a new online validation solution through the PCI Toolkit to help increase our merchants' awareness and assist in individual compliance efforts.
Becoming PCI compliant and maintaining that status will help you reduce threats to your business and your customers. Any merchant or service provider (i.e. payment gateway, shopping cart, web hosting company, etc.) that accepts, handles, stores, or transmits credit card information must validate PCI compliance each year. The validation process will help educate you about what steps to take in order to make your business PCI compliant.
PCI compliance requirements were put in place specifically to help protect merchants from a data breach, but they do not guarantee protection. While PCI compliance does not absolutely guarantee 100% protection against a breach, being PCI compliant does absolutely increase data security and helps protect businesses from easily avoidable threats. As technology and new data security threats develop, it is important to stay up to date on PCI compliance requirements and make sure you make any changes necessary in order to remain compliant under the most current set of standards.
To satisfy PCI compliance validation requirements, merchants must fill out an Attestation of Compliance and Self Assessment Questionnaire (SAQ) annually and perform quarterly vulnerability scans of their Internet-facing systems, if they have them. Some changes, such as policy development or Internet security upgrades, may be required in order to become PCI compliant. Using the PCI Toolkit will assist merchants in accomplishing both requirements. Merchants using a dial up terminal only with no Internet connectivity and those that outsource all payment functions may simply complete the appropriate version of the SAQ for their business type and submit the SAQ to e-onlinedata. Documentation must be submitted to e-onlinedata’s PCI Compliance Team to complete validation requirements. All merchants who have not submitted validation documentation will be enrolled in the PCI Toolkit program with the exception of merchants who qualify as "dial up terminal" or "touch tone" only merchants. These merchants will be mailed a paper version of the appropriate Self Assessment Questionnaire for completion and return to e-onlinedata.
e-onlinedata will be assessing a fee of $10/month for the online validation service. There will also be a billing option to pay at a discounted rate of $100 annually. Merchants that qualify for online validation will receive a letter notifying them of enrollment prior to being billed any fees.
Using PCI Toolkit is optional, however validating PCI compliance is not. You may complete validation on your own by filling out and submitting the Self-Assessment Questionnaire (SAQ) appropriate for your business type to e-onlinedata, and if applicable, passing vulnerability scan documentation as well. Vulnerability scans must be performed by an Approved Scanning Vendor (ASV) qualified by the PCI Security Standards Council. Documentation must be submitted to e-onlinedata’s PCI Compliance Team to complete validation requirements.
Not being PCI compliant increases your chances of undergoing a data breach, which has significant repercussions and could cost you your business. You may be fined anywhere from $10,000 to $500,000 or more per breach. Incidents currently lead to a minimum of $12,000 in forensic investigation and legal fees. Merchants can be liable for chargeback fees, costs to cover fraudulent purchases, reissuance fees at $5-25 per compromised card, and possibly paying to supply security monitoring of all compromised accounts. You also face the possibility of having your ability to accept credit cards revoked all together. You are responsible for making your business PCI compliant to help reduce these threats to your business. e-onlinedata’s goal is to help merchants understand what steps to take to be sure you are PCI compliant and to provide a way to easily and efficiently validate that PCI compliance requirements are being met.
PCI compliance has become an increasingly important focus as the number of data breaches and instances of theft continue to go up. The longer a merchant is unable to validate PCI compliance, the longer that merchant may be potentially putting business at a higher risk. Non-compliance could result in fines, penalties, liability issues, and damage to business operations and reputation. The sooner you can meet the PCI DSS, the better.
If you are using PCI Toolkit, you will be prompted to answer questions that lead you to the correct SAQ for your business type. In using the PCI Toolkit, you will complete the Attestation of Compliance and Self-Assessment Questionnaire (SAQ)—it will instruct you on the meaning of each of the questions, and will provide help and term definitions. You may find instructions and the questionnaires by visiting the PCI Security Standards Council website. The SAQ must filled out correctly in order to validate PCI compliance, and submissions may be reviewed if merchants are compromised, risk rated, or randomly audited.
Quarterly vulnerability scans help ensure the security of credit card data which is passed over or accessible through the Internet by checking your network and any web applications or infrastructures with external facing Internet Protocol (IP) addresses for holes where unauthorized users could compromise payment card data. Unlike virus scans, vulnerability scans check all points where credit card information could be accessed and all of the network paths where this data could be compromised. Scans performed by the PCI Toolkit are set up to be automatic and don’t require you to install additional software. Merchants or third party service providers that use the Internet to accept, transmit, or store credit card data need to use the PCI Toolkit or a vendor noted on the PCI Security Standards Council website’s list of Approved Scanning Vendors (ASVs) to set up the required scans.
Even merchants that use a compliant gateway, shopping cart, etc. may still have computers or other equipment with Internet connectivity subject to access by malicious individuals. If you don’t outsource all elements of payment processing and you have systems with Internet access which are being used to accept payments, you do need to set up quarterly vulnerability scans. Even if you primarily handle payments through a third service provider, but on occasion enter a payment into your computer over the phone or in person, you must be sure your computer is secure by having a vulnerability scan performed.
Merchants can set up vulnerability scans easily by using the PCI Toolkit or contacting an Approved Scanning Vendor (ASV). Working with third party service providers that have verified PCI compliance helps ensure data security. You may wish to contact your local Internet Service Provider (ISP) or the business which sold you your computer for a recommendation about a local contact that can answer general Internet connectivity questions, or help with putting the right Internet security in place in order to keep payment card data secure.
Merchants need to work to continue meeting PCI compliance standards over time. The minimum validation requirements state that the Self-Assessment Questionnaire (SAQ) must be submitted annually and vulnerability scans must be performed quarterly. However, to ensure PCI compliance, the SAQ should be filled out and vulnerability scans should be run any time there is a significant change to business operations or network systems. Being PCI compliant is an ongoing process and the standards can be expected to change as new data security threats develop.
Yes, you need to submit your completed Self-Assessment Questionnaire (SAQ) and documentation reflecting passing vulnerability scans performed by an Approved Scanning Vendor (ASV) qualified by the PCI Security Standards Council to e-onlinedata’s PCI Compliance Department. Please Contact the e-onlinedata PCI Compliance Team to let us know if you have validated.
You should also work to maintain PCI compliance following the standards outlined by the PCI SSC. The requirements change as data security threats evolve, and merchants need to make an ongoing effort to make any changes necessary to meet the most current set of standards.
You may increase the vulnerability of your business and should please Contact e-onlinedata PCI Compliance to discuss these changes and any potential new validation requirements.
As far as PCI compliance validation is concerned, those businesses that require vulnerability scans do have costs above those that outsource all card data payment functions or do not store any payment card data. However, e-onlinedata does not charge any additional PCI compliance validation fees just for changes.