Q: What is PCI DSS (Payment Card Industry Data Security Standard)?
A: PCI DSS (Payment Card Industry Data Security Standard) has been established through the formation of the Security Standards Council (American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. are represented on this council) to govern the acceptance, storage and transfer of credit card information in the United States. "PCI Compliant" is the typical terminology used in the credit card industry for complying with the standard established by the Security Standards Council. More information can be found at the PCI Security Standards Council website: www.pcisecuritystandards.org/.
Q: How does PCI Compliance affect me and what are my responsibilities as a merchant?
A: The standard applies to all parties involved in the handling of credit cards, including merchants, Property Management Systems (PMS), Point of Sale (POS) providers, middleware (gateway) companies, and credit card processors. Failure to become PCI Compliant can result in significant fines levied by Visa, MasterCard, American Express, JCB and/or Discover. The merchant's responsibility is for the merchant itself to become PCI Compliant and for all payment applications used by the merchant to be PCI Compliant.
Q: When does PCI Compliance go into effect?
A: PCI compliance has been in effect for several years, but Visa, MasterCard, and American Express have only recently increased their capability to fine merchants for PCI Non-compliance and/or data compromises. Credit card processors are being held responsible for the PCI Compliance of their merchants. Processors are subject to fines for allowing PCI Non-compliant merchants to continue processing.
Q: How do I become PCI Compliant?
A: As a merchant, you must complete the Self Assessment Questionnaire (SAQ) for each specific merchant ID and answer each question to the affirmative. There are different SAQ's specific to your merchant category. If you cannot answer "yes" to each question on the SAQ, the issue must be corrected before becoming PCI Compliant. All answers are attested to at the end of the SAQ. The SAQ must be completed on an annual basis.
Q: Am I required to perform periodic vulnerability scanning?
A: Vulnerability scanning (computer scan for known vulnerabilities on your network) is only required for merchants utilizing Point of Sale credit card interfaces or IP terminals. The SAQ will inquire about the specific payment application(s) that the merchant is using. If a Point of Sale System and/or IP terminal is being used, the merchant will be notified that scanning is required on a quarterly basis. Only Security Standards Council third party approved scanning vendors may be used. Once a merchant has been successfully scanned, the merchant will receive a record of the approval.
Q: What is my responsibility as a merchant for the payment applications or terminals that I use?
A: The merchant is responsible for ensuring that the payment applications and terminals used are PCI Compliant. Beginning July, 2010, the Security Standards Council has mandated that all payment applications and terminals must be PCI Compliant. Failure at that time to be compliant could result in discontinuation of the merchant's ability to process credit cards and/or severe fines.
Q: What are the penalties for a merchant that is not PCI Compliant?
A: Visa PCI Non-compliance fines begin at $5000 per month and can be significantly higher. MasterCard fines are usually lump sum. Additionally, a data compromise could result in further fines by Visa and MasterCard to recover monetary losses suffered by credit card issuers affected by the breach. In other words, stolen cards are used for transactions after they are stolen. Additionally, American Express has posted fines beginning at $50,000 for PCI Non-compliance.
Q: Should I experience a security breach, and card data is compromised, what is my exposure as a merchant?
A: More financially significant than PCI Non-compliance fines, a data compromise could result in Visa fines for Account Data Compromise Recovery (ADCR), which pertains to domestic issued cards, and/or Data Compromise Recovery Solution (DCRS), which pertains to international issued cards. Credit card issuers (the largest issuers are Citibank, American Express, Chase, and Capital One) often experience severe losses as a result of stolen credit card numbers being used for fraudulent transactions. The merchant where the breach occurred is held responsible, and ADCR/DCRS fines represent a partial recovery of those losses suffered by the issuers. These fines can run in the hundreds of thousands of dollars. Additionally, a merchant's reputation and brand image can often be tainted by experiencing a breach, even if the merchant is not at fault.
Q: How about MasterCard fines?
A: MasterCard levies fines for wrongful storage of magnetic stripe data and wrongful disclosure of account data. These fines are typically one-time fines substituted for Visa's PCI Non-compliance fines. MasterCard does not have a program similar to Visa's ADCR or DCRS. However, MasterCard issuers utilize the chargeback system to recoup losses resulting from fraudulent transactions and the reissuance of credit cards. Some issuers (e.g. Citibank) are very aggressive in pursuing monies via chargebacks while other issuers are less active.
Q: What is SaleSynergy doing to assist merchants with PCI Compliance?
A: SaleSynergy has enlisted the services of Data Delivery Service (DDS) to provide the "PCI Management Tool" necessary to facilitate PCI Compliance for the merchant. The DDS/SaleSynergy web page provides a user friendly, easily navigated, home and storage for the required SAQ, along with quarterly reminders to assist in maintaining PCI Compliance. For those merchants requiring vulnerability scanning, the link to that process is also available on the DDS/SaleSynergy portal. The portal can be found at the following URL:
www.pciapply.com/pci_fsp_login.aspx
Additionally, SaleSynergy, through partnership with Royal Group Services (RGS), is providing breach insurance for all merchants (unless they have had a prior breach). Details on breach insurance can be found at the following URL:
www.salesynergy.com/breach-insurance
Q: Is there a checklist that I can review to help me with the PCI Compliance process?
A: Yes, the checklist is available at the following URL:
http://www.salesynergy.com/pci-checklist