PCI Compliance

Learn about Payment Card Industry Data Security Standards (PCI DSS) and how to become compliant.

PCI Compliance FAQs

PCI compliance is required for every business accepting credit cards, regardless of your payment processing method. Feel free to contact us if you have additional questions or issues that are not addressed below.

What is PCI?

Any company with a Merchant ID (MID) that processes, stores or transmits credit card information must adhere to and comply with the PCI Data Security Standard (PCI DSS), created and updated annually by the PCI Security Council. Introduced on September 7, 2006, the Payment Card Industry Security Standards Council (PCI SSC) provides an actionable framework for developing a robust payment card data security process — including prevention, detection, and appropriate reaction to security incidents. The PCI DSS is administered and managed by the PCI SSC , which is independent of the major payment card brands (Visa, MasterCard, American Express, Discover and JCB). Card brands and acquirers are responsible for enforcing compliance, not the PCI Council.

To whom does PCI apply?

PCI applies to any business that accepts, transmits or stores any cardholder data.

Where can I find the PCI Data Security Standards (PCI DSS)?
What are the PCI compliance levels and how are they determined?

There are four levels of PCI compliance as determined by Visa and MasterCard. These levels are based on the transaction volume (including credit, debit, and prepaid) over a 12-month period. Merchants that have been affected by a security breach which resulted in compromised card data may be escalated to the next level.

Merchant Level Description

  1. Any merchant processing over $6M Visa and/or MasterCard transactions per year.
  2. Any merchant processing $1M to $6M Visa and/or MasterCard transactions per year.
  3. Any merchant processing $20,000 to $1M Visa and/or e-commerce transactions per year.
  4. Any merchant processing less than $20,000 Visa and/or MasterCard e-commerce transactions per year, and all other merchants processing up to $1M Visa and/or MasterCard transactions per year.
What does a small-to-medium sized business (Level 4 merchant) have to do in order to satisfy the PCI DSS requirements?

The SMB merchant must complete the following steps to become PCI compliant:

  • Determine which Self-Assessment Questionnaire (SAQ) your business should use to validate compliance. Click here to start the process.
  • Complete the SAQ per the instructions.
  • Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV). BluePay uses ControlScan. Note: Scanning does not apply to all merchants. It is required for SAQ A-EP, SAQ B-IP, SAQ C, SAQ D-Merchant and SAQ D-Service Provider.
  • Complete the relevant Attestation of Compliance in its entirety (located in the SAQ tool).
  • Submit the SAQ, evidence of a passing scan (if applicable), and the Attestation of Compliance, along with any other requested documentation, to BluePay.
If I only accept credit cards over the phone, does PCI still apply to me?

Yes. All business that process, transmit or store credit card data must be PCI compliant.

If BluePay is PCI compliant, do I still need to be?

Yes. Using BluePay does not exclude your company from PCI compliance. It may reduce your risk exposure, and consequently reduce the effort to validate compliance, but it does not remove you from responsibility.

My business has multiple locations; is each location required to validate PCI compliance?

Best practices would be to certify each merchant ID (MID) number individually. Some businesses choose to certify by multiple MID numbers under one entity. However, if multiple locations are certified under one entity and a compromise were to occur, all MID numbers are subject to forensic investigation, versus only the identified MID.

Are debit card transactions in scope for PCI?

Any debit, credit, and pre-paid cards branded with one of the five card association/brand logos that participate in the PCI SSC — American Express, Discover, JCB, MasterCard, and Visa International — are within scope.

Am I PCI compliant if I have an SSL certificate?

No. An SSL certificate is just one piece of the puzzle to becoming PCI compliant. You must establish strong encryption of the cardholder’s data during transmission over open, public networks. In addition, you need to validate that the website operators are a legitimate, legal organization.

What are the penalties for noncompliance?

An acquiring bank may be fined by the card brands anywhere from $5,000 to $100,000 per month for PCI compliance violations. These fines are passed downstream to the merchant. In addition, your account is subject to many additional costs including lawsuits from cardholders and issuing banks, the reissuance of cards, brand damage and a required forensic investigation. Penalties are not openly discussed nor widely publicized, but they can be catastrophic to a small business. It is important to be familiar with your merchant account agreement, which should outline your exposure.

What is defined as ‘cardholder data’?

The PCI Security Standards Council (SSC) defines ‘cardholder data’ as the full Primary Account Number (PAN) or the full PAN along with any of the following elements:

  • Cardholder name
  • Expiration date
  • Service code
  • Sensitive Authentication Data which includes full magnetic stripe data, CAV2, CVC2, CVV2, CID, PINs, PIN blocks and more
What is the definition of merchant?

With regards to PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five major card brands (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. A merchant can also be a service provider, if the services sold result in storing, processing or transmitting cardholder data on behalf of other merchants or service providers.

What constitutes a service provider?

The PCI DSS considers any company that stores, processes or transmits cardholder data on behalf of another entity to be a service provider.

What constitutes a payment application?

A payment application is anything that stores, processes or transmits card data electronically. Anything from a POS System to an e-commerce shopping cart that incorporate software to handle credit card data are all classified as payment applications.

What is a payment gateway?

Payment Gateways connect a merchant to the bank or processor that is acting as the front-end connection to the card brands. Gateways route many inputs from a variety of different applications to the appropriate bank or processor. They communicate with the bank or processor using dial-up, Web-based or privately held connections.

How is IP-based POS environment defined?

The point-of-sale (POS) environment refers to a transaction that takes place at a merchant location (i.e., retail store, restaurant, hotel, gas station, convenience store, etc.). An Internet protocol (IP)-based POS is when transactions are stored, processed or transmitted on IP-based systems or systems communicating via TCP/IP.

What is PA-DSS?

Payment Application Data Security Standard (PA-DSS) is upheld by the PCI Security Standards Council (SSC) to address the critical issue of payment application security. The requirements are designed to ensure that vendors provide products to help merchants maintain PCI DSS compliance and eliminate the storage of sensitive cardholder data.

The PCI SSC administers the program to validate payment applications’ compliance against the PA-DSS, and publishes and maintains a list of PA-DSS validated applications. See https://www.pcisecuritystandards.org/security_standards/pa_dss.shtml for more information.

Can the full credit card number be printed on the consumer’s copy of the receipt?

According to PCI DSS requirement 3.3, the first six and last four digits are the maximum number of digits that can be displayed. Any paper receipts stored by merchants must adhere to the PCI DSS, especially regarding physical security.

Do I need vulnerability scanning to validate compliance?

In order to determine if you qualify for a scan, please log in to the BlueView Merchant Portal here, and select PCI Compliance from the menu on the left. Follow the on-screen directions.

What is a vulnerability scan?

A vulnerability scan is an automated tool that conducts a nonintrusive scan of a merchant or service provider’s system to remotely review networks and Web applications based on the external-facing Internet protocol (IP) addresses provided by the merchant or service provider. The scan pinpoints vulnerabilities in operating systems, services and devices that could be used by hackers to target the company’s private network. Approved Scanning Vendors (ASVs), like ControlScan, do not require the merchant or service provider to install any software on their systems, and no denial-of-service attacks will be performed.

How often do I need a vulnerability scan?

Those who meet the above criteria are required to submit a passing scan once per quarter. Scans must be conducted by a PCI SSC Approved Scanning Vendor (ASV), such as ControlScan.

What if I refuse to cooperate?

Here at BluePay, we believe in the importance of PCI compliance to ensure the safety and security of electronic transactions. Merchants that do not comply with PCI DSS will be charged non-compliance fees, and are subject to fines, card replacement costs, costly forensic audits, brand damage, etc., should a breach event occur. PCI Compliance is mandated by the major card brands (Visa, MasterCard, Discover, AMEX and JCB), but is not enforced by any government entity or authority. PCI greatly helps you to reduce your risk of facing these extremely unpleasant and costly consequences.

If I’m running a business from my home, am I a serious target for hackers?

Yes — fraudsters will often target home users due to vulnerable broadband connections and typical home use programs like chat, Internet games and P2P file-sharing applications. ControlScan’s scanning service allows home users and network administrators alike to identify and fix any security vulnerabilities on their desktop or laptop computers.

What should I do if I’m compromised?

While there are many steps you can take to prevent card data breaches, unfortunately they can still occur to businesses of all types and sizes. If you believe you have been breached, contact BluePay immediately at risk@bluepay.com.

In addition, here are some helpful resources:

Are there state laws requiring affected parties to be notified about a data breach?

Yes. California implemented breach notification law in 2003, and there are now over 38 states that have similar laws in place. See www.privacyrights.org for more detail on state laws.

BluePay Processing, LLC is a registered ISO of Wells Fargo Bank, N.A., Walnut Creek, CA, U.S.A.
BluePay Canada ULC, is a Registered ISO/MSP of Peoples Trust Company, Vancouver, Canada.