PCI stands for Payment Card Industry, but usually means one of the following:
The Payment Card Industry Security Standards Council. This is an industry body made up of organizations like Visa, MasterCard, American Express and Discover. The Council is how these companies cooperate to agree upon a single, common security standard that Merchants are required to meet.
The actual security standard put together by the Council described in the first definition above. The full name for this standard is the Payment card Industry Data Security Standard (PCI DSS). Merchants must meet this set of security requirements if their business accepts, transmits or processes customer payment cards, such as credit cards or debit cards.
PCI DSS stands for Payment Card Industry Data Security Standard. This is a technical and broad-ranging set of security requirements created by the Payment Card Industry, laying out what Merchants need to do to protect customer information. The PCI Council requires that Merchants meet this set of security requirements if their business accepts, transmits or processes customer payment cards, such as credit cards or debit cards. Merchants that do not comply with these requirements can be penalized in a number of ways, up to and including having their card-processing privileges revoked, leaving them unable to accept customer payment cards.
Click here to visit the PCI Council’s website for more information:
PCI DSS applies to ALL organizations or Merchants, regardless of size, that accept, transmit, or store any payment card information. In other words, if any customer of that organization ever pays using a credit card or debit card, then the PCI DSS requirements apply.
To satisfy the requirements of PCI, a Merchant must do two things:
- Comply with the Data Security Standard by meeting all of the requirements laid out in the Data Security Standard, and
- Validate their compliance. This means the Merchant must SHOW (in a manner appropriate to their size and situation) that they are complying with the Data Security Standard. For some Merchants, such as those with a high volume of card transactions, or with a history of security problems, validation involves on-site audits by certified professionals, but for many Merchants the primary requirements are:
- Annual completion and submission by the merchant of a PCI Self-Assessment Questionnaire (the SAQ); and
- Where appropriate, undertaking a quarterly network vulnerability scan by a certified scanning company.
It is important to note that being in Compliance does NOT automatically mean that the Merchant has met their Validation requirement
- Check their Compliance, by finding out for themselves if they are in compliance with the Data Security Standard
- Complete part of their Validation, but giving others, such as their Acquiring Bank, evidence that they are in Compliance with the PCI Data Security Standard.
As of February 2008, there is no longer a single one size fits all Self-Assessment Questionnaire. Merchants now need to identify which one of five Validation Type categories they fit into, and then complete the appropriate Self-Assessment Questionnaire for their category. For some Merchants, the appropriate Self-Assessment Questionnaire is short and simple, while for other Merchants the appropriate Self-Assessment Questionnaire is long and extremely technical. Note that for all versions of the Self-Assessment Questionnaire, Merchants will only be considered compliant if they pass (or can answer “Not Applicable”) to ALL of the questions in the Questionnaire.
Being “Compliant” means that the Merchant meets all of the requirements laid out in the Payment Card Industry Data Security Standard. The requirements for Compliance are the same for ALL Merchants, large or small. However, smaller Merchants typically avoid many of the Compliance problems that larger organizations face, because their systems and networks are usually simpler.
Validation means that a Merchant can demonstrate, via standard documents and/or tests, that they are meeting the PCI DSS requirements. Different Merchant types face different Validation requirements, depending on which of four levels they are assigned to.
No, PCI is not, in itself, a law. The standard was put together by business organizations including Visa, MasterCard and the other major card companies. Merchants that do not comply with PCI DSS are not necessarily breaking any law, but they are probably violating their Terms of Service or contract with their acquiring bank and the card associations. This means that the Merchant might be penalized or sued, or these companies might refuse to work with the Merchant. This means that the merchant would be unable to process credit or debit cards.
While not all businesses will require scans, if one is needed, a vulnerability scan is an automated, non-intrusive process that assesses the Merchant’s network and web applications from the Internet (on the external-facing IPs). The scan will identify any vulnerabilities or gaps that may allow an unauthorized or malicious user to gain access to the network and potentially compromise cardholder data.
If your business fails to become PCI compliant1, you could be putting your business at greater risk from the growing threat of payment card data breaches and theft, which may result in substantial penalties (such as fines from banks, regulatory agencies, and card associations), fraud and charge backs, as well as legal costs and lost customers. If you fail to become PCI DSS compliant or to report your PCI DSS-compliant status with a third-party vendor to First Data, you may also be charged a monthly non-receipt of PCI Validation fee by your Merchant Services provider until such time as you become PCI DSS-compliant or report your PCI DSS-compliant status to First Data.
If your business experiences a data security breach, you could even lose your ability to process credit card payments. Perhaps more importantly, you risk the loss of customers. Research shows that 43% of customers who have been victims of fraud stop doing business with the merchant where the fraud occurred.2
- Achieving PCI DSS compliance does not prevent a data security breach or compromise, or change the allocation of risk under your merchant agreement.
- Javelin Strategy and research June 2009
The First Data PCI Rapid Comply® solution is an easy-to-use online tool that can help you achieve and maintain PCI DSS compliance more quickly and easily. It offers:
- Step-by-step guidance to complete the annual self-assessment questionnaire (SAQ): Our step-by-step application will direct you to the PCI SAQ that is appropriate for your business (A, B, C, C-vt or D). You can complete the SAQ with guided support, ensuring each question is answered accurately.
- Fewer questions to answer – in some cases, 85% fewer questions: With “pre-SAQ” questions, we can pre-populate the appropriate SAQ answers – which are often the most difficult - minimizing the number of questions you have to deal with and speeding up the SAQ completion process.1
- Comprehensive support that ensures your questions get answered: Have a question? With our built-in help, guides and security expertise, we can answer any PCI questions you may have – online and via chat, email and phone.
With our PCI Rapid Comply® solution, there are no new or additional charges. The Compliance Services Fee charged to you by your Merchant Services provider includes your annual PCI self-assessment questionnaire (SAQ) and quarterly scans, if needed, which are offered in our PCI Rapid Comply® solution.
If you fail to become PCI DSS compliant or to report your PCI DSS-compliant status with a third-party vendor to First Data, you may also be charged a monthly non-receipt of PCI Validation fee by your Merchant Services provider until such time as you become PCI-DSS compliant or report your PCI DSS-compliant status to First Data.
The benefits of using the First Data® PCI Rapid Comply® solution are that it is offered by and integrated with your merchant services provider. The PCI Rapid Comply® solution includes a guided, step-by-step SAQ tool help to complete the annual questionnaire with ease, an integrated scanning tool for merchants that are required to pass quarterly scans and comprehensive support online and via chat, email and phone to ensure your questions get answered.
As your merchant services provider, we hope you will elect to use our PCI Rapid Comply® solution. However you are free to obtain PCI DSS compliance services from third party vendors.
If you are charged an annual compliance service fee pursuant to your merchant processing contract, the PCI Rapid Comply® solution is made available to you. If you choose to utilize the services of a third-party PCI compliance services vendor, you will be separately billed by that vendor for those PCI compliance services. Fees that First Data charges appear separately as a line item on your merchant account statement.
The PCI Rapid Comply® solution is an on-line, automated self-assessment tool offered by First Data to guide our merchants through the PCI DSS compliance validation assessment process. It offers the support of a live help desk, provides information on potential vulnerabilities along with innovative security enhancements that may further protect our merchants' processing environments.
Level 3 and 4 PCI merchants are not required to validate self-assessment compliance through a QSA; therefore, First Data is not required to be a QSA in order to offer this feature of the PCI Rapid Comply® solution to its merchants. However, the PCI Rapid Comply® solution was developed in conjunction with a QSA to make the self-assessment validation process much simpler for merchants to complete. In addition, an Approved Scanning Vendor (ASV) is used to support quarterly network scans required for merchants processing payments over the internet.
For PCI Level 1 and 2 merchants that require a QSA for their PCI DSS compliance validation a PCI Approved QSA can be found on the PCI SSC's website.