Learn about Payment Card Industry Data Security Standards (PCI DSS) and how to become compliant.
PCI Compliance FAQs
PCI compliance is required for every business accepting credit cards, regardless of your payment processing method. Feel free to contact us if you have additional questions or issues that are not addressed below.
Any company with a Merchant ID (MID) that processes, stores or transmits credit card information must adhere to and comply with the PCI Data Security Standard (PCI DSS), created and updated annually by the PCI Security Council. Introduced on September 7, 2006, the Payment Card Industry Security Standards Council (PCI SSC) provides an actionable framework for developing a robust payment card data security process — including prevention, detection, and appropriate reaction to security incidents. The PCI DSS is administered and managed by the PCI SSC , which is independent of the major payment card brands (Visa, MasterCard, American Express, Discover and JCB). Card brands and acquirers are responsible for enforcing compliance, not the PCI Council.
PCI applies to any business that accepts, transmits or stores any cardholder data.
The PCI DSS can be found at: https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
There are four levels of PCI compliance as determined by Visa and MasterCard. These levels are based on the transaction volume (including credit, debit, and prepaid) over a 12-month period. Merchants that have been affected by a security breach which resulted in compromised card data may be escalated to the next level.
Merchant Level Description
- Any merchant processing over $6M Visa and/or MasterCard transactions per year.
- Any merchant processing $1M to $6M Visa and/or MasterCard transactions per year.
- Any merchant processing $20,000 to $1M Visa and/or e-commerce transactions per year.
- Any merchant processing less than $20,000 Visa and/or MasterCard e-commerce transactions per year, and all other merchants processing up to $1M Visa and/or MasterCard transactions per year.
The SMB merchant must complete the following steps to become PCI compliant:
- Determine which Self-Assessment Questionnaire (SAQ) your business should use to validate compliance. Click here to start the process.
- Complete the SAQ per the instructions.
- Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV). BluePay uses ControlScan. Note: Scanning does not apply to all merchants. It is required for SAQ A-EP, SAQ B-IP, SAQ C, SAQ D-Merchant and SAQ D-Service Provider.
- Complete the relevant Attestation of Compliance in its entirety (located in the SAQ tool).
- Submit the SAQ, evidence of a passing scan (if applicable), and the Attestation of Compliance, along with any other requested documentation, to BluePay.
Yes. All business that process, transmit or store credit card data must be PCI compliant.
Yes. Using BluePay does not exclude your company from PCI compliance. It may reduce your risk exposure, and consequently reduce the effort to validate compliance, but it does not remove you from responsibility.
Best practices would be to certify each merchant ID (MID) number individually. Some businesses choose to certify by multiple MID numbers under one entity. However, if multiple locations are certified under one entity and a compromise were to occur, all MID numbers are subject to forensic investigation, versus only the identified MID.
Any debit, credit, and pre-paid cards branded with one of the five card association/brand logos that participate in the PCI SSC — American Express, Discover, JCB, MasterCard, and Visa International — are within scope.
No. An SSL certificate is just one piece of the puzzle to becoming PCI compliant. You must establish strong encryption of the cardholder’s data during transmission over open, public networks. In addition, you need to validate that the website operators are a legitimate, legal organization.
An acquiring bank may be fined by the card brands anywhere from $5,000 to $100,000 per month for PCI compliance violations. These fines are passed downstream to the merchant. In addition, your account is subject to many additional costs including lawsuits from cardholders and issuing banks, the reissuance of cards, brand damage and a required forensic investigation. Penalties are not openly discussed nor widely publicized, but they can be catastrophic to a small business. It is important to be familiar with your merchant account agreement, which should outline your exposure.
The PCI Security Standards Council (SSC) defines ‘cardholder data’ as the full Primary Account Number (PAN) or the full PAN along with any of the following elements:
- Cardholder name
- Expiration date
- Service code
- Sensitive Authentication Data which includes full magnetic stripe data, CAV2, CVC2, CVV2, CID, PINs, PIN blocks and more
With regards to PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five major card brands (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. A merchant can also be a service provider, if the services sold result in storing, processing or transmitting cardholder data on behalf of other merchants or service providers.
The PCI DSS considers any company that stores, processes or transmits cardholder data on behalf of another entity to be a service provider.
A payment application is anything that stores, processes or transmits card data electronically. Anything from a POS System to an e-commerce shopping cart that incorporate software to handle credit card data are all classified as payment applications.
Payment Gateways connect a merchant to the bank or processor that is acting as the front-end connection to the card brands. Gateways route many inputs from a variety of different applications to the appropriate bank or processor. They communicate with the bank or processor using dial-up, Web-based or privately held connections.
The point-of-sale (POS) environment refers to a transaction that takes place at a merchant location (i.e., retail store, restaurant, hotel, gas station, convenience store, etc.). An Internet protocol (IP)-based POS is when transactions are stored, processed or transmitted on IP-based systems or systems communicating via TCP/IP.
Payment Application Data Security Standard (PA-DSS) is upheld by the PCI Security Standards Council (SSC) to address the critical issue of payment application security. The requirements are designed to ensure that vendors provide products to help merchants maintain PCI DSS compliance and eliminate the storage of sensitive cardholder data.
The PCI SSC administers the program to validate payment applications’ compliance against the PA-DSS, and publishes and maintains a list of PA-DSS validated applications. See https://www.pcisecuritystandards.org/security_standards/pa_dss.shtml for more information.
According to PCI DSS requirement 3.3, the first six and last four digits are the maximum number of digits that can be displayed. Any paper receipts stored by merchants must adhere to the PCI DSS, especially regarding physical security.
In order to determine if you qualify for a scan, please log in to the BlueView Merchant Portal here, and select PCI Compliance from the menu on the left. Follow the on-screen directions.
A vulnerability scan is an automated tool that conducts a nonintrusive scan of a merchant or service provider’s system to remotely review networks and Web applications based on the external-facing Internet protocol (IP) addresses provided by the merchant or service provider. The scan pinpoints vulnerabilities in operating systems, services and devices that could be used by hackers to target the company’s private network. Approved Scanning Vendors (ASVs), like ControlScan, do not require the merchant or service provider to install any software on their systems, and no denial-of-service attacks will be performed.
Those who meet the above criteria are required to submit a passing scan once per quarter. Scans must be conducted by a PCI SSC Approved Scanning Vendor (ASV), such as ControlScan.
Here at BluePay, we believe in the importance of PCI compliance to ensure the safety and security of electronic transactions. Merchants that do not comply with PCI DSS will be charged non-compliance fees, and are subject to fines, card replacement costs, costly forensic audits, brand damage, etc., should a breach event occur. PCI Compliance is mandated by the major card brands (Visa, MasterCard, Discover, AMEX and JCB), but is not enforced by any government entity or authority. PCI greatly helps you to reduce your risk of facing these extremely unpleasant and costly consequences.
Yes — fraudsters will often target home users due to vulnerable broadband connections and typical home use programs like chat, Internet games and P2P file-sharing applications. ControlScan’s scanning service allows home users and network administrators alike to identify and fix any security vulnerabilities on their desktop or laptop computers.
While there are many steps you can take to prevent card data breaches, unfortunately they can still occur to businesses of all types and sizes. If you believe you have been breached, contact BluePay immediately at [email protected].
In addition, here are some helpful resources:
Yes. California implemented breach notification law in 2003, and there are now over 38 states that have similar laws in place. See www.privacyrights.org for more detail on state laws.