+ What is PCI compliance (PCI-DSS)?

PCI-DSS Stands for Payment Card Industry Data Security Standard, a standard set by all major Credit Card Associations (Visa, MasterCard, American Express, Discover and JCB) to insure that each business maintains a secure environment. The main reason for the compliance is to avoid data breach in your business and its consequence.

+ Why PCI-DSS?

Before PCI, all costs of a card breach were borne by the parties that accepted fraudulent cards. Once PCI was introduced, the source of the breach is now held responsible and carries financial consequences.

+ We have been processing for years – what happened that we need to become compliant now?

PCI-DSS, while existing for years (applied mainly to ecommerce and high volume processing), was recently extended to include merchant “level 4”, which essentially means every single merchant (accepting CC), regardless to its industry or volume.

+ What’s the difference between compliance fee and non-compliance fee?

As with any risk assessment, the likelihood of data breach is much higher when a business is not PCI compliant. This means that such a business is more likely to be subject to fines, penalties and costly forensic audits. This is why non-compliance fee costs the merchant 3-4 times as much as the compliant fee.

+ Where can I find more information about the PCI standards?

A great source of information is the originating council (PCI Security Standards Council). Their official website: https://www.pcisecuritystandards.org/.

+ What type of business must be PCI compliant?

All type of businesses, regardless of size, volume or number of transactions, that accepts, transmits or stores cardholder data. If a business accepts Credit Cards - PCI compliance applies to it!

+ I’m a retail business and I don’t store any card data - why should I become compliant?

Experience shows that retail businesses are not protected from data breach. In fact, 2013 data by industry shows that 35% (!) of all data breach came from retail, and if we combine it with restaurant, this number goes to 53%.

+ I accept only Interac. Do I need to be compliant?

The answer is NO. PCI compliance applies to all card brands belonging to the credit card associations.

+ My shopping cart is already PCI compliant. Do I still need to do anything?

Yes. The fact that your third party provider is compliant is helpful but that doesn’t exempt you. You are still required to be compliant and go thru the process of PCI manager.

+ What happens if I refuse to be PCI compliant?

Merchants that don't comply with PCI regulations may be subject to fines, card replacement costs, costly forensic audits, brand damage, should a breach event occur. While PCI is not mandatory, agreeing to become PCI compliant helps you in both, maintaining secure work environment and reducing your cost in case of a data breach.

+ I store all credit card data in an electronic file secured by a password - why it’s not enough?

This is a common mistake- protection by a password doesn’t protect data breach. All credit card information can potentially be stolen from any computer.

+ Where could I keep my data if I can’t keep it on the computer?

As a compliant merchant, you must receive all your Credit card authorizations on paper documents. Those documents should be stored in a safe place (but not electronically). When the document is no longer needed, it should be shredded in a way that reconstruction is impossible. You want to minimize keeping credit card data, and you can use Virtual Merchant to store those numbers for you.

+ By becoming PCI compliant am I protected from fraudulent transactions?

Unfortunately not. You still need to be careful and use all available tools of fraud prevention.

+ How do I become compliant?

As our merchant, Elavon went far and beyond to help you become compliant by hiring a dedicated company specializing in PCI security to assist our merchants in the process of becoming compliant. Note that if hired privately, cost could be form $15,000-$50,000 (as a few of our merchant can attest.

+ What is PCI compliance manager?

PCI compliance manager is a tool provided in order to help each merchant to become compliant. Please log in to the following website and follow all the steps http://pcicompliancemanager.com (a summary of the steps required on our Nov 7th newsletter).

+ What is the schedule for PCI compliance fee?

Effective December 1, 2014 all merchant will be charged PCI compliance (or a Non-compliance fee). However, merchants have a grace period of 90 from the date their account was opened to become compliant, before a non-compliant fee is applied.

+ What does the PCI compliance fee cover?

The fee covers the cost of becoming and maintaining the status of PCI compliance (must be done yearly). It also protects a compliant merchant in the event that data breach occurred for related costs of up to $100,000.

+ What benefit I get from becoming PCI compliant?

By becoming compliant you protect your name and customers. Shoppers feel more comfortable and secure to buy at a location that notes: “we are PCI Compliant”. You also reduce your risk for fees, penalties and forensics.

+ Do I need vulnerability scanning after I become compliant?

If you electronically store cardholder data or if your processing solution use internet connection, a quarterly scan by a PCI Approved Scanning Vendor (ASV) is required.

+ Does the PCI Certificate need to be renewed?

Yes, all merchants need to renew it every year.