Questions? Call us at
 
   
 
So what's all this talk about data security?
The Payment Card Industry (PCI) Data Security Standard (DSS) is a set of requirements for enhancing payment account data security. These standards were developed by the PCI Security Standards Council, which was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa, Inc. to facilitate industry-wide adoption of consistent data security measures on a global basis.

I have never heard of PCI Compliance before. Is this new?
No. The framework of the PCI DSS has existed in different forms for some time now, and the standard continues to evolve. You may be more familiar with the following programs, which promote the implementation of the PCI DSS

MasterCard: Site Data Protection (SDP) program

Visa: Cardholder Information Security Program (CISP)

Discover Network: Discover Information Security & Compliance (DISC)

American Express: Data Security Operating Policy

Do the card associations require merchants to be PCI compliant?
Simply put, Visa, MasterCard and other major card associations require all entities that store, process or transmit cardholder data to comply with the PCI DSS. The standard exists to protect businesses and consumers. When merchants certify their compliance with the PCI DSS, they demonstrate their commitment to data security, in addition to reducing exposure to fraud and the costs associated with it. Compliance is a priority for the card associations and for FDIS.

The Visa Web site (www.visa.com/cisp) states:

PCI DSS compliance is required of all merchants and service providers that store, process, or transmit Visa cardholder data and applies to all payment channels, including retail (brick-and-mortar), mail/telephone-order, and e-commerce.

In addition, the Visa site explains:

If a member, merchant or service provider does not comply with the security requirements or fails to rectify a security issue, Visa may fine the responsible member or Impose restrictions on the merchant or its agent.

Visa may waive fines in the event of a data compromise if there is no evidence of non-compliance with PCI DSS and Visa rules. To prevent fines, a member, merchant, or service provider must maintain full compliance at all times, including at the time of breach as demonstrated during a forensic investigation. Additionally, a member must demonstrate that prior to the compromise the compromised entity had already met the compliance validation requirements, demonstrating full compliance.

The following information is posted on the MasterCard Web site (www.mastercard.com/sdp):

While all merchants are required to comply with the Payment Card Industry Data Security Standard, merchants that store, process or transmit MasterCard account data may also be required to validate compliance with their acquirer.

The MasterCard site also states:
If a merchant does not meet the applicable compliance requirements of the SDP Program, then MasterCard may levy a non-compliance assessment on the responsible MasterCard member.

What do my merchants have to do to become PCI compliant?
Typically, a merchant must complete at minimum a PCI DSS self-assessment questionnaire annually. If the merchant electronically stores cardholder information, or if his or her processing systems have any Internet connectivity, a quarterly scan by an approved scanning vendor is also required.

What about merchants who are not processing? Why do they have to be PCI compliant?
All merchants, whether small or large, need to be PCI compliant. The payment brands have collectively adopted PCI DSS as the requirement for organizations that process, store or transmit cardholder data.

Why do merchants using "PCI compliant" terminals/gateways have to certify their PCI compliance?
The PCI Security Standards Council has various requirement programs. The Payment Application Data Security Standard (PA-DSS) is a set of requirements that helps software vendors and others develop PCI DSS-compliant applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data.

Use of a terminal/gateway that runs PA-DSS certified software is one of many components that are evaluated in the assessment of a merchant's PCI DSS compliance.

What is an approved scanning vendor?
An approved scanning vendor is an organization that validates adherence to certain PCI DSS requirements by performing vulnerability scans of a merchant's Internet-facing systems.

Bottom Line
Check with your Merchant Account Provider to make sure you have taken the proper course of action to be in compliance. This avoids monthly "non-compliance fees".

ABOUT THIS GUIDE
About the Author
A Word About Our Membership Community
Frank Merchant knows how to get the best price
The Internet Marketplace
   
UNDERSTANDING IT ALL
What are the advantages (and disadvantages) of accepting credit cards for your business?
6 Benefits of Accepting Credit Cards
Disadvantages of Accepting Credit and Debit Cards
Who are the players? How does the money get in your bank account?
Credit Card Transactions Step By Step
Should I go visit my banker for my merchant account?
How can I tell if I will get good customer service?
Be on the Lookout for Deceptive Sales Practices
How to Avoid Your Money Being Held By Your Non-Cash Transaction Processing Company
Banking Terms You Need To Know
Benefits of Debit as a Payment Option
What You Need To Know About Leasing a Credit Card Terminal
Fraud Protection 101
Cardholder Security: Avoid Monthly Fees, Fines, and Penalties What Is PCI Compliance (PCI DSS)?
   
THE PROCESSES
Four Key Components to Conduct eCommerce Successfully: What They Are, and How They Work
Web Site
Your Merchant Account
Secure Payment Gateway / Payment Transaction Software
Shopping Cart and Catalog
Should I use a third party processor like PayPal?
   
ANALYZING IT ALL
Quick Summary of Costs
Detailed Summary of Setup Fees, Recurring Fees, and Risk Estimate
Total Risk Estimate (TRE)
Total Risk Estimate Worksheet (Low-Medium-High)
   
THE DETAILS
Are you being stung with "Non-Qual" fees for keyed orders?
Have You Ever Felt Betrayed By Your Credit Card Processing Company?
Your Customers' Credit Card Numbers at Risk
Visa: Heartland, RBS WorldPay no longer PCI compliant
PayPal
Marketing 101: Gift and Loyalty Smart Card Technology Ensures Customer Loyalty
Check Warranty and Check Acceptance Policies
How Can I Prevent Credit Card Fraud?
Identity Theft
Merchant Account Comparison Worksheet
Glossary
 
Credit Card Terminal
Find out about the World Payment Services™ difference.
Name:
All information will be kept confidential.
We do not give out or share any information. Privacy Policy
 
   
 
   
   
   
   
   
   
   
   
   
   
   
Call us today at

 
 
 

Copyright ®2010 World Payment Services™. All rights reserved. World Payment Services™ is a registered
ISO/MSP for Wells Fargo Bank, N.A., Walnut Creek, CA
American Express® requires separate approval.

*Promotional offers and the agent, partner, and affiliate business opportunity is brought to you exclusively by World Payment Services, Inc.

First Data Merchant Account