We’ve compiled some of the most frequently asked questions regarding Payment Card Industry (PCI)Data Security Standards (DSS), PCI compliance, Personally Identifiable Information (PII), reporting requirements, and our comprehensive Data Protection Program. Should you have additional questions not answered below, please contact our Customer Service Department
What is the purpose of PCI DSS?
The Payment Card Industry (PCI) Data Security Standards (DSS) are a set of requirements for enhancing payment account data security. These standards were developed by the PCI Security Standards Council, which was founded by Visa, MasterCard, Discover, American Express, and JCB to facilitate industry-wide adoption of consistent data security measures on a global basis. The standard aims to increase awareness and promote best practices in the handling of sensitive information as a means to minimizing identity theft and fraudulent transactions.
Is PCI DSS New?
No. The framework of the PCI data security standards has existed in different forms since 2004.
I only process a few hundred dollars a month. Does my Merchant account still need to be PCI compliant?
Yes, all Merchants, whether small or large, are required to be PCI compliant. The payment brands (Visa, MasterCard, Discover, American Express) have collectively mandated PCI DSS compliance for any and all organizations that process, store or transmit payment cardholder data. Inherent in having a Merchant account is the ability to handle cardholder data. This standard covers more than just POS and computer systems; it addresses the physical handling of data and secure processing as well.
I already use a “PCI Compliant” terminal/gateway. Doesn’t that mean I am PCI compliant?
No. use of a PCI compliant payment application is one aspect of the many PCI DSS requirements, which cover handling of sensitive data. Currently, the PCI DSS lists twelve requirements. These requirements are organized around the following principles, all of which apply:
- Build and Maintain a Secure Network
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
Can I choose not to certify for PCI compliance?
If you choose not to complete the self-assessment questionnaire (and applicable network scans) you may overlook certain data security practices that minimize your risk of a security breach.
In the event that your business is compromised, you may be subject to substantial fines per card brand. These fines would be in addition to the fees, expenses, fraudulent transactions, and legal actions that may stem from this data breach. In some instances, fines as large as $500,000 per card brand have been imposed for data breaches.
In light of the importance that data security has to the payment processing industry and consumers at large, a fine may be applied for each month that your account has not been validated as PCI compliant or in any given month your account is deemed non-compliant.
Ultimately, failure to achieve compliance may result in termination of your Merchant account.
What do I need to do to validate my PCI DSS compliance?
To validate your PCI DSS compliance, use our simple, easy to use PCI Toolkit®
– Click Here
to start the validation process
How long is the PCI compliance certification valid?
The PCI compliance certification is valid for one year from the date the certificate is issued. To maintain your compliance, you are required to complete the PCI DSS self-assessment questionnaire annually and conduct any applicable network scans on a quarterly basis.
Do I have to use the Merchant Services Data Protection Program to become PCI compliant?
Enrollment in the Data Protection Program is not optional, as part of the annual fee, PCI Toolkit®, Data Breach Coverage and Breach Reporting™ are offered to you at no additional charge. You may, however, choose to certify with another vendor but you will be responsible for paying the full cost of the PCI Compliance analysis to that vendor. A list of approved vendors is available on the card association web sites or at www.pcisecuritystandards.org
. Please note that we have worked to negotiate one of the lowest rates in the industry and have often seen fees in excess of $500. To learn more go to www.pcisecuritystandards.org
What if I have already been certified or choose to certify through another Qualified Security Assessor (QSA)/Approved Scanning Vendor (ASV)?
If you have already been PCI DSS certified, or if you choose to use another QSA/ASV, please submit your certification documentation to us via email at firstname.lastname@example.org
or fax to (402) 916-8240.
Why do I have to do this if I don’t have internet?
All Merchants who process credit card transactions are required to obtain certification to ensure safe processing and handling of cardholder information and to limit the likelihood of a security breach.This includes processing equipment that utilizes standard telephone lines.
Does this protect me against fees if someone steals data from me?
PCI DSS compliance and certification is designed to increase the level of security for sensitive cardholder information. Occasionally breaches may still occur and, as is standard within the industry, Merchants will be responsible for fees incurred.
Personally Identifiable Information (PII)
What is Personally Identifiable Information (PII)?
There are many different definitions of PII. Most definitions include some variation of a person’s name or initials in combination with other pieces of information that can be used to identify the person, including Social Security numbers, driver’s license numbers, and financial account numbers. Some state laws further include date of birth, mother’s maiden name, and certain medical, educational, or employment information.
The most common forms of Personally Identifiable Information (PII) are:
· First and Last Name
· Social Security Number
· Driver’s License Number
· Credit Card Number
· Banking Information – routing number or account number
How can my business be harmed if PII is lost or stolen?
State law requires you to notify affected individuals in the event that PII is lost, stolen, or otherwise compromised. The ramifications of such breaches can be substantial. They can also take many forms, including costs and expenses associated with managing a breach, private lawsuits or government investigations arising from a breach, and lost consumer trust.
The financial consequences of failing to properly report a breach can also be substantial, possibly even more substantial than those associated with the breach itself. As just one example, Visa can assess fines of up to $100,000 per breach incident against merchants that fail to promptly and appropriately report the incident to Visa. You can mitigate this risk by positioning yourself to act quickly in the face of a breach. Breach Reporting™ can help.
What if I don’t record or maintain any Personally Identifiable Information (PII)?
Many merchants do not realize that the cardholder’s name is included in the magnetic stripe of some cards, and is captured when the card is swiped at your POS terminal. That is often how the cardholder name is printed on the cardholder copy of the receipt.
As such, you may be collecting and storing information that constitutes PII through your POS terminal even if you are not expressly asking your customers to provide it. This means that if your POS terminal is breached, you could be required to notify individuals of the breach.
What is a breach of PII?
The definition of a breach or a “breach of the security of the system” varies from state to state. In many states, a “breach of the security of the system” arises from any “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by your business.” In some states, however, the unauthorized disclosure or acquisition of hard copy records (in addition to computerized data) may also constitute a breach. A breach can occur in many ways, including through lost laptops or PDAs, improper disposal of paper records, or intrusion into your network or personal computer by hackers.
What are my PII data breach risks?
Occurrences of lost or stolen PII occur every day. The financial penalties for these data breaches can be significant. More serious breaches involving PII, especially those involving highly sensitive forms of PII, can result in criminal penalties. Also, your business reputation can be severely damaged.
How can I minimize the threat of PII data breach?
If you store, process or transmit payment card information, for example, you must become PCI compliant to help ensure that you are adequately protecting your systems and networks that may be involved in the processing of payment card information. Our PCI ToolKit® product can help with that. The PCI ToolKit® walks you through your annual PCI Self-Assessment Questionnaire as required by the PCI Security Standards Council.
What is the PCI Toolkit®?
The PCI Toolkit®
is an interactive, online system that provides the educational tools necessary to complete PCI compliance quickly and accurately. The program performs a Self-Assessment Questionnaire (SAQ) that all merchants are required to perform annually, to identify the needs of each individual merchant. To validate your PCI DSS compliance, use our simple, easy to use PCI Toolkit® – Click Here
to start the validation process
What is the Self-Assessment Questionnaire?
The Self-Assessment Questionnaire (SAQ) is the actual set of questions that merchants must answer. The PCI Toolkit®
will guide you through the system and help you determine which SAQ is best suited for your business needs. For more information regarding the SAQ type please visit PCI Security Standards
Who needs Quarterly Scanning?
Any merchant who answers Self-Assessment Questionnaire (SAQ) C or D needs to be scanned. If you use an outside vendor and you do not receive or store credit card numbers you qualify for Self- Assessment Questionnaire (SAQ) A and you do not have to be scanned.
What levels of merchants does the PCI Toolkit® cover?
The PCI Toolkit® can be used by any merchant who does not need an on-site examination to complete the PCI DSS.
What SAQ’s does the PCI Toolkit® have?
The PCI Toolkit® contains all of the material for Self- Assessment Questionnaires (SAQ) A, B, C and D.
What type of support does the PCI Toolkit® offer?
The PCI Toolkit® offers email based support. This can be launched from any page of the PCI Toolkit®. Our experts will respond back in writing within 1 business day.
How long does it take a merchant to complete the PCI Toolkit® questionnaire?
The average time to protect your business using the PCI ToolKit® is 15-30 minutes. Businesses with complex computer configurations and custom software will take longer.
Does the PCI Toolkit® provide reminders?
The PCI Toolkit® sends out periodic email reminders when annual updates are due. We also provide periodic reminder letters for merchants that have not yet started the PCI Toolkit® process.
Data Breach Coverage
What is the Data Breach Security Program? Why do I need it?
The Data Breach Security Program is a unique insurance offering designed specifically to help merchants meet the significant expenses resulting from a suspected or actual breach of credit card data. Depending on the severity of the breach, these expenses can include the costs for a forensic audit, replacement of compromised cards, and compliance fines—costs that can easily reach $25,000 to $50,000.
What are the coverage amounts?
The basic coverage provides up to $100,000 per merchant account per year.
I own a multiple location business - is each location covered under policy limits?
Yes - Coverage can be offered on up to 5merchant identification numbers for up to $500,000.
Is there a deductible?
No. There is never any deductible.
Can any business qualify for this insurance coverage?
Any Level 2, 3, and 4 merchant is eligible for coverage as long as they have not had a previous data breach. If a Level 2, 3, or 4 merchant has had a previous breach—or suffers one while covered—the merchant can become eligible (or re-eligible) for coverage once PCI DSS compliance is verified. Level 1 merchants are not eligible for this coverage.
Does a merchant have to be PCI DSS compliant to be eligible for coverage?
No. However, in the event of a breach the account must become compliant before the account can participate (or re-enter) the program.
Level 3 and 4 merchants aren’t breached very often – do I really need this service?
Absolutely they are! In fact, Visa reports that Level 4 merchants have been the source of 80% of identified data compromises since 2005. It makes sense—Level 3 and 4 merchants are more likely to have faulty or non-existent business procedures that prevent employee access to confidential data, leading to a much greater likelihood of data theft.
What about merchants that don’t store magnetic strip data? Can they be breached?
Yes! While it’s true that merchants storing magnetic strip data are particularly vulnerable, any merchant can be breached. Risks faced by all merchants include missing or outdated security patches, use of vendor-supplied default settings and passwords, SQL injections by hackers, unnecessary and vulnerable services on their servers, poor business practices that allow physical access to cardholder data, physical losses resulting from employee dishonesty or third-party theft, and simple employee negligence or error. In fact, human error is the largest single cause of data breach.
My business is PCI DSS compliant, canI be breached now?
Absolutely! Although it makes a breach less likely, PCI DSS compliance is not a guarantee that a breach won’t occur. Any system that relies on people-run processes is vulnerable to breach, whether through deliberate employee wrong-doing or an unintentional—but inevitable—human error.
How long does it take to get the program underway?
In most cases, we can have the entire program up and running in as little as 30 days.
How do I submit a claim?
To submit a claim, you need to complete three easy steps: (1) fill out an online claim form by following the easy-to-use link in the merchant portal, (2) upload or fax the notice from the acquiring bank that stipulates there has been a suspected or actual breachand choose an authorized, qualified security assessor, and (3) when the forensic audit is complete, upload or fax a copy of the assessor’s invoice.
How soon do merchants receive their reimbursements?
Within 30 days of submitting a claim, assuming all documents are in order.
I believe a hacker has compromised my system or network. What steps do I take regarding my system?
What is Breach ReportingTM?
Breach Reporting™ is an information security breach defense, preparedness, and response service that help merchants address the risks associated with handling personally identifiable information (PII) without committing all of their valuable internal resources to the cause. Forty-six state laws as well as laws in additional jurisdictions mandate certain responsive procedures in the event that certain forms of PII in your possession are compromised.
If and when you determine that a breach of PII has occurred, or suspect a breach or loss of data, Breach Reporting™
can assist you in notifying the proper authorities (including, in particular, card brands and government agencies) that data has been compromised. Breach Reporting™
also provides a monthly Newsletter to help keep merchants like you informed about the latest trends and issues concerning PII.
What services does Breach ReportingTM provide?
Breach Reporting™ is designed to help you react quickly to a data breach. When PII is lost, stolen, or otherwise compromised, merchants are often confused about what steps to take to rectify the situation. But merchants must be prepared to act quickly in order to comply with applicable laws and industry standards, and in order to preserve their customers’ trust. In the event you discover a breach of PII, Breach Reporting™ can help you take action to respond.
When should I call Breach ReportingTM?
For the reporting of a suspected or actual breach, members should call 1-855-251-0153. Beach Reporting Toolkit™ will assist you in reporting the breach to federal, state and any other governmental agencies as required.
What agencies do I have to report to when a breach occurs?
Depending on the particular circumstances, you may be required to report the breach or multiple agencies or none at all. Breach Reporting™ maintains a database of federal, state, and law enforcement agencies that may require reports. Breach Reporting™ can also help by providing reporting to these agencies on your behalf.
Can I get copies of the breach reporting to these agencies?
Breach Reporting™ will provide you with copies of any reporting it sends on your behalf.
What are the requirements to notify my customers when their PII has been compromised?
Requirements to notify customers in the event of a breach vary by state. Breach Reporting™ can help you identify the sources of potential legal obligations to notify customers of a breach.
Do credit-reporting agencies (CRAs) need to be informed of a breach involving PII?
Sometimes. There are provisions in most of the state security breach notification laws regarding reporting breaches to CRAs like Equifax, Experian, and TransUnion. Breach Reporting™ maintains a data base of the applicable provisions in these state laws that details under what circumstances CRAs must be informed of a data breach, and we can help you notify them when necessary.