PCI Compliance

PCI Compliance

InterchangePlus Solutions offers several PCI Compliance options.

When you complete our secure online application, you’ll see a PCI Compliance option offered for $10 per month on your agreement. However, we can also offer you a completelyFREE PCI Compliance solution provided you do not need to do quarterly scans of your Website. Your Account Executive will discuss the various options with you upon approval of your Merchant Account. Once you have completed the free PCI Compliance option and receive your PCI certification, this will completely negate the $10 per month fee!
What is PCI compliance?

Payment Card Industry (PCI) compliance refers to a set of standards created to help protect payment card data from exposure that could lead to financial loss. The area of PCI compliance which applies to merchants and service providers is called the PCI Data Security Standard (PCI DSS). The PCI DSS consists of requirements developed by the PCI Security Standards Council which was founded by the major Payment Brands. The goal of these requirements is to implement consistent data security procedures across the payment card industry. Validating PCI compliance is a requirement that the Payment Brands have put in place as a proactive measure to address data security needs.


High Profile Breaches:

  • May 30, 2011: Honda Canada has advised its customers of a data breach involving unauthorized access of 280,000 customers.
  • May 21, 2011: Lockheed Martin just confirmed that it was hacked.
  • April 26, 2011: The Sony Qriocity and PlayStation Network entertainment services lost more than 100 million accounts.
  • In 2008, Heartland Payment Systems lost a record 130 million credit card records from their merchants’ customers.
    • January 2010: Heartland agreed to pay approximately $60 million to Visa and $41 million to MasterCard.
  • In 2007, 94 million credit and debit card records was lost by the TJX retail chain; TJX agreed to pay damages of $24 million to MasterCard and $41 million to Visa.

 

How come I haven’t heard about PCI compliance or validation before?

PCI compliance standards have existed for years. ALL merchants, regardless of what payment processor they use, are in fact required to comply with the PCI DSS and this is required as part of the Terms and Conditions of entering into a merchant agreement.

What does this mean for my business?
Becoming PCI compliant and maintaining that status will help you reduce threats to your business and your customers. Any merchant or service provider (i.e. payment gateway, shopping cart, web hosting company, etc.) that accepts, handles, stores, or transmits credit card information must validate PCI compliance each year. The validation process will help educate you about what steps to take in order to make your business PCI compliant.

Does validating PCI compliance guarantee a data breach will not occur?
PCI compliance requirements were put in place specifically to help protect merchants from a data breach, but they do not guarantee protection. While PCI compliance does not absolutely guarantee 100% protection against a breach, being PCI compliant does absolutely increase data security and helps protect businesses from easily avoidable threats. As technology and new data security threats develop, it is important to stay up to date on PCI compliance requirements and make sure you make any changes necessary in order to remain compliant under the most current set of standards.

Questions Regarding PCI Compliance Validation

What do I need to do to validate PCI compliance?
To satisfy PCI compliance validation requirements, merchants must fill out an Attestation of Compliance and Self Assessment Questionnaire (SAQ) annually and perform quarterly vulnerability scans of their Internet-facing systems, if they have them. Some changes, such as policy development or Internet security upgrades, may be required in order to become PCI compliant. Using our PCI Program will assist merchants in accomplishing both requirements. Merchants using a dial up terminal only with no Internet connectivity and those that outsource all payment functions may simply complete the appropriate version of the SAQ for their business type and submit the SAQ to InterchangePlus Solutions. Documentation must be submitted to InterchangePlus Solutions‘s PCI Compliance Team to complete validation requirements. All merchants who have not submitted validation documentation will be enrolled in our PCI Program program with the exception of merchants who qualify as “dial up terminal” or “touch tone” only merchants. These merchants will be mailed a paper version of the appropriate Self Assessment Questionnaire for completion and return toInterchangePlus Solutions.

Who can help me with my validation requirements?
InterchangePlus Solutions‘s PCI Department can help explain the validation requirements and process. Please contact the InterchangePlus Solutions PCI Compliance Team and we will be glad to assist you with any questions you may have.

What is the cost of PCI Compliance? 
InterchangePlus Solutions offers a completely FREE PCI Compliance solution provided you do not need to do quarterly scans of your Website.
If you require quarterly scans, based on your exact business type, we will be assessing a fee of $10/month for the online validation service. There will also be a billing option to pay at a discounted rate of $100 annually. Merchants that qualify for online validation will receive a letter notifying them of enrollment prior to being billed any fees.

Is using our PCI Program required?
Using our PCI Program is optional, however validating PCI compliance is not.

You may complete validation on your own by filling out and submitting the Self-Assessment Questionnaire (SAQ) appropriate for your business type to InterchangePlus Solutions, and if applicable, passing vulnerability scan documentation as well. Vulnerability scans must be performed by an Approved Scanning Vendor (ASV) qualified by the PCI Security Standards Council. Documentation must be submitted to InterchangePlus Solutions‘s PCI Compliance Team to complete validation requirements.

What are the consequences of not validating PCI compliance?
Not being PCI compliant increases your chances of undergoing a data breach, which has significant repercussions and could cost you your business. You may be fined anywhere from $10,000 to $500,000 or more per breach. Incidents currently lead to a minimum of $12,000 in forensic investigation and legal fees. Merchants can be liable for chargeback fees, costs to cover fraudulent
purchases, reissuance fees at $5-25 per compromised card, and possibly paying to supply security monitoring of all compromised accounts. You also face the possibility of having your ability to accept credit cards revoked all together. You are responsible for making your business PCI compliant to help reduce these threats to your business. InterchangePlus Solutions‘s goal is to help merchants understand what steps to take to be sure you are PCI compliant and to provide a way to easily and efficiently validate that PCI compliance requirements are being met.

When should I validate PCI compliance by?
PCI compliance has become an increasingly important focus as the number of data breaches and instances of theft continue to go up. The longer a merchant is unable to validate PCI compliance, the longer that merchant may be potentially putting business at a higher risk. Non-compliance could result in fines, penalties, liability issues, and damage to business operations and reputation. The sooner you can meet the PCI DSS, the better.

Where do I find instructions on filling out the Self-Assessment Questionnaire (SAQ)?
If you are using our PCI Program, you will be prompted to answer questions that lead you to the correct SAQ for your business type. In using the our PCI Program, you will complete the Attestation of Compliance and Self-Assessment Questionnaire (SAQ)—it will instruct you on the meaning of each of the questions, and will provide help and term definitions. You may find instructions and the
questionnaires by visiting the PCI Security Standards Council website. The SAQ must be filled out correctly in order to validate PCI compliance, and submissions may be reviewed if merchants are compromised, risk rated, or randomly audited.

What do the vulnerability scans do?
Quarterly vulnerability scans help ensure the security of credit card data which is passed over or accessible through the Internet by checking your network and any web applications or infrastructures with external facing Internet Protocol (IP) addresses for holes where unauthorized users could compromise payment card data. Unlike virus scans, vulnerability scans check all points where credit card information could be accessed and all of the network paths where this data could be compromised. Scans performed by our PCI Program are set up to be automatic and don’t require you to install additional software. Merchants or third party service providers that use the Internet to accept, transmit, or store credit card data need to use our PCI Program or a vendor noted on the PCI Security Standards Council website’s list of Approved Scanning Vendors (ASVs) to set up the required scans.

I use a compliant gateway (shopping cart, etc.), so do I need vulnerability scans?
Even merchants that use a compliant gateway, shopping cart, etc. may still have computers or other equipment with Internet connectivity subject to access by malicious individuals. If you don’t outsource all elements of payment processing and you have systems with Internet access which are being used to accept payments, you do need to set up quarterly vulnerability scans. Even if
you primarily handle payments through a third service provider, but on occasion enter a payment into your computer over the phone or in person, you must be sure your computer is secure by having a vulnerability scan performed.

I don’t know anything about my Internet connection set up, so I’m not sure about vulnerability scans. Where may I find out more information?
Merchants can set up vulnerability scans easily by using our PCI Program or contacting an Approved Scanning Vendor (ASV). Working with third party service providers that have verified PCI compliance helps ensure data security. You may wish to contact your local Internet Service Provider (ISP) or the business which sold you your computer for a recommendation about a local contact that can answer general Internet connectivity questions, or help with putting the right Internet security in place in order to keep payment card data secure.

What comes after validation?
Merchants need to work to continue meeting PCI compliance standards over time. The minimum validation requirements state that the Self-Assessment Questionnaire (SAQ) must be submitted annually and vulnerability scans must be performed quarterly. However, to ensure PCI compliance, the SAQ should be filled out and vulnerability scans should be run any time there is a significant change to business operations or network systems. Being PCI compliant is an ongoing process and the standards can be expected to change as new data security threats develop.

Questions Regarding Already Existing PCI Compliant and Validated Merchants

Do I need to do anything if I’ve already validated PCI compliance?
Yes, you need to submit your completed Self-Assessment Questionnaire (SAQ) and documentation reflecting passing vulnerability scans performed by an Approved Scanning Vendor (ASV) qualified by the PCI Security Standards Council to InterchangePlus Solutions‘s PCI Compliance Department. Please Contact the InterchangePlus Solutions PCI Compliance Team to let us know if you have validated.

You should also work to maintain PCI compliance following the standards outlined by the PCI SSC. The requirements change as data security threats evolve, and merchants need to make an ongoing effort to make any changes necessary to meet the most current set of standards.

If my business model changes or we change the way we process and/or store payment card data, do I need to complete validation again?
You may increase the vulnerability of your business and should please Contact InterchangePlusSolutions PCI Compliance to discuss these changes and any potential new validation requirements.

Will I incur additional costs if my business model changes or we change the way we process and/or store payment card data?
As far as PCI compliance validation is concerned, those businesses that require vulnerability scans do have costs above those that outsource all card data payment functions or do not store any payment card data. However, InterchangePlus Solutions does not charge any additional PCI compliance validation fees just for changes.