• 1 (860) 774-8210
  • operations@capitalbankcardne.com

Capital Bankcard-NE, LLC

A Premiere Provider of Merchant Services

You are here: Home / PCI-DDS Compliance

PCI-DDS Compliance

The purpose of this communication is to update and remind you of the importance of being PCI-DSS Payment Card Industry-Data Security Standard Compliant.

Each Business Owner/Merchant must ensure that they are in full compliance with all PCI-DSS Data Security Standard Protocols. Hefty penalty fines may be charged DIRECTLY to ANY Merchant who is determined to be NOT PCI-DSS Compliant. Often, this may simply mean the Business Owner or Merchant who signed their respective Merchant Agreement has not gone online and completed their PCI Survey Questionnaire. Again, significant monthly “non-Compliant” penalty fees can and are charged to each Merchant Account that are not compliant. We, Capital Bankcard-NE, LLC, are NOT responsible for paying these non-Compliant PCI-DSS monthly penalty fees.

Please review your Monthly Credit Card Processing Statements regularly to ensure your company or business is in full compliance with all PCI-DSS Protocols. Call our office if you have any questions in this regard. We will make every effort to assist you in completing your PCI-DSS Online Questionnaire. Help us help you! 1-860-774-8210.

What is PCI-DSS?

Payment card industry compliance refers to the technical and operational standards that businesses follow to secure and protect credit card data provided by cardholders and transmitted through card processing transactions. PCI standards for compliance are developed and managed by the PCI Security Standards Council.

What is PCI compliance, and do I need it?

PCI compliance, which stands for payment card industry compliance, refers to a set of 12 security standards that businesses use to keep customer card data secure. Even if a merchant only processes one card transaction per year, it must be PCI compliant.

The 12 PCI compliance requirements

Here are the 12 PCI compliance requirements from the PCI Security Standards Council.

  1. Install and maintain a firewall. That includes testing network connections, restricting connections to untrusted networks and other efforts.
  2. Change vendor-supplied default passwords and security settings. This includes enabling only necessary services, removing functionality where warranted, encrypting access and other efforts.
  3. Protect stored cardholder data. That includes having policies for disposing of data, limiting what is stored, avoiding storing certain types of data and other efforts.
  4. Encrypt cardholder data when transmitting it across open, public networks. Among other things, don’t send unprotected account numbers via email, instant messaging, text, chat, or other end-user messaging technology.
  5. Use and regularly update antivirus software. That means performing and documenting periodic scans, as well as ensuring the software is running and other activities.
  6. Develop security systems and processes. This means creating processes to find and act on vulnerabilities, as well as other efforts.
  7. Restrict access to cardholder data to a need-to-know basis. That requires defining the access certain roles need, as well as creating user privileges and control systems, among other things.
  8. Assign user IDs to everybody with computer access. Businesses should also ensure there’s a way to authenticate users, document their policies in this area and take other actions.
  9. Restrict physical access to cardholder data. This means using cameras or other tools to monitor who is in sensitive areas of the business or handling certain equipment, for example.
  10. Track and monitor who accesses networks and cardholder data. That means having an audit trail, using time-stamped tracking tools, reviewing logs for suspicious activity and other activities.
  11. Regularly test systems and processes. Test and inventory wireless access points, do quarterly vulnerability scans and monitor traffic, among other things.
  12. Have a policy on information security. That means writing, publishing, and disseminating a policy at least once a year that lays out usage rules for certain technologies and explains everyone’s responsibilities, among other things.

How to become PCI compliant

PCI compliance applies to any business that accepts card payments, including seasonal or small businesses.

To become PCI compliant, a business typically must do two things:

  1. Complete an assessment that shows how secure a business’s systems and practices are. Most small businesses can perform a self-assessment.
  2. Perform a scan of the network used to process payments. This technical exercise requires the help of an outside firm.

Determining whether your business is PCI compliant requires a thorough assessment of security practices every year.

Although the requirement is universal, there’s no one-size-fits-all assessment. Instead, the type of annual assessment depends on a few factors, including the volume of card transactions. A business falls into one of four levels:

  • Level 1 merchants process more than 6 million card transactions per year or have had a hack or attack that led to data loss.
  • Level 2 merchants process more than 1 million card transactions per year up to 6 million.
  • Level 3 merchants process 20,000 or more online card transactions per year up to 1 million.
  • Level 4 merchants process fewer than 20,000 online card transactions or up to 1 million total transactions.

Most small businesses fall under Level 4 and are required to perform a self-assessment. Larger businesses must hire third-party auditors. There are multiple self-assessment questionnaires: the one you take depends on your particular payment setup. For example, Questionnaire A-EP is for businesses that outsource all payment processing to certified third parties.

The cost of PCI compliance

Some payment processors charge PCI compliance fees. In return, you might receive compliance-related services, like access to consultants who help you complete requirements.

Weighing the cost of this fee, if any, against the services you receive can play a role in choosing a processer. Even if your payment partner doesn’t charge you a fee, becoming PCI compliant usually costs something. Level 4 merchants can expect to pay from $300 to $1,000 annually. To hire an approved scanning vendor to test their network, complete the questionnaire and help address any issues.

Tips for becoming PCI compliant

Completing a rather simple online questionnaire can still be challenging for small-business owners. The self-assessment questionnaires consist of yes-or-no questions; if you answer “no” to any of them, you must address the issue before submitting it. The following steps can make the process easier. Ask your Merchant Service Agent Office for assistance. Ask for help. Be pro-active.

Practice good data hygiene

Much of the advice on securing data mirrors best practices you might already be familiar with when securing your own personal devices, including:

  • Use strong passwords.
  • Keep software updated. Older point-of-sale terminals can be particularly vulnerable. Newer, cloud-based systems are built with strong encryption, typically receive updates automatically and can be less expensive.
  • Store only what you need. You probably don’t need to store physical copies of receipts.
  • Don’t click on suspicious links.
  • Only Card Readers and Payment Software that are validated by the PCI Security Standards Council.
  • Educate employees about the importance of protecting cardholder data.

Take the paperwork seriously

Self-assessment questionnaires are technical in nature and can frustrate business owners, Glover says. Some people are tempted to simply check yes to all the questions on the questionnaire without giving the questions much thought. “People just get frustrated,” Glover says. “We see this a lot. This is a business risk you’re taking.” He says that if a business owner does this and is later compromised, penalties are often stiffer. If you’re unsure of how to handle these questionnaires, consider asking your payment processor for clarification or seeking help from an outside agency.

Use systems that make compliance easier

The point-of-sale, or POS, system that you use can make PCI compliance easier. Using a cloud-based POS that integrates payment processing, a POS system and card readers can minimize security risks. These end-to-end systems are usually secure, low-maintenance and often include PCI compliance support.

Some business owners piece together an array of products and services from different companies, but these systems can be less secure and often depend on the owner keeping everything up-to-date.

Compliance resources checklist

Understand your business

  • Find out which tier your business falls under.
  • Find out which assessment you must use.

Talk to your payment processor about:

  • The specific compliance requirements in your contract.
  • Whether it has consultant recommendations should you need help.
  • Whether you are paying a PCI compliance fee.
  • Compliance services it provides or recommends.

Get help from experts

  • Use resources on the PCI Security Standards Council website to learn more about securing customer data.

Remember, whomever signs the Merchant Agreement is the person or entity who is responsible to ensure that each business is “Accepting” credit cards within the Agreement Terms and Code of Conduct demanded by MasterCard, Visa, Discover and American Express. PCI Compliance is mandatory.

In addition, each Business Owner/Merchant must ensure that they are in full compliance with all PCI-DSS Data Security Standard Protocols. Hefty penalty fines may be charged DIRECTLY to ANY Merchant who is determined to be NOT PCI-DSS Compliant. Often, this may simply mean the Business Owner or Merchant who signed their respective Merchant Agreement has not gone online and completed their PCI Survey Questionnaire. Again, significant monthly “non-Compliant” penalty fees can and are charged to each Merchant Account that are not compliant. We, Capital Bankcard-NE, LLC, are NOT responsible for paying these non-Compliant PCI-DSS monthly penalty fees.

Please review your Monthly Credit Card Processing Statements regularly to ensure your company or business is in full compliance with all PCI-DSS Protocols. Call our office if you have any questions in this regard at 1-860-774-8210. We will make every effort to assist you in completing your PCI-DSS Online Questionnaire.

Help us help you!