ATTENTION: ALL Merchants must validate the PCI DSS Compliance

What is PCI DSS Compliance?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment.  The PCI DSS is administered and managed by the PCI Security Standards Council (SSC) www.pcisecuritystandards.org), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.). ALL MERCHANTS AND ORGANIZATIONS Regardless of size or number of transactions, all merchants that accept, transmit or store any cardholder data must comply with the PCI DSS. Merchants that do not comply with PCI DSS may be subject to fines, card replacement costs, costly forensic audits, brand damage, etc., in the event a breach may occur.

Learn more at ControlScan "A Simpler Way to PCI Compliance" ControlScan is Nationwide Payment Solutions PCI Program Provider.

* The Real Cost of Data Breaches, View valuable information on why getting into compliance now makes sense.

* Smaller Merchants Threatened, Criminals Now Picking Less Compliant Targets.

PCI-DSS MYTHS,  click here or scroll down to view valuable information on why ALL merchants must comply with PCI-DSS requirements.

Watch this video on PCI Compliance.

PCI DSS Compliance FAQ's

• Who has to be PCI DSS Compliant?
• What happens if I do not comply?  
• Why is it that all service providers are not requiring that merchants participate in a PCI DSS Support Program at this time?
• How much will this cost me?
• Will a PCI DSS Support Fee Apply to each location?
• What defines a multi-location merchant? 
• Why haven't I heard from the card brands regarding PCI DSS Compliance?
• How do I get started?
• Can I switch to a new processor who doesn't require compliance?
• How long is this going to take?
• My shopping cart/payment gateway/processing is outsourced, why is this my responsibility? If I am breached, wouldn't it be their fault?
• My payment application is already compliant, what else do I need to do?
• If I only accept credit cards over the phone, does PCI still apply to me?
• What is a network security scan?
• Do I need vulnerability scanning to validate compliance?
• How often do I have to scan?
• I am a merchant that requires a vulnerability scanning. I am not technical; therefore, I cannot make changes to my system. What should I do?
• If I’m running a business from my home, am I a serious target for hackers?
• Where can I find the PCI Data Security Standards (PCI DSS)?

Who has to be PCI DSS Compliant?

The requirements of the PCI DSS apply to ALL organizations or merchants, regardless of size or number of transactions, that accept, transmit or store any cardholder data.

What happens if I do not comply?

Merchants that do not comply with the PCI DSS may be subject to fines,  card replacement cost,  costly forensic audits or brand damage should a data breach occur. Failure to complete your PCI registration annually, will result in a monthly non-compliance fee billed to your merchant account. Completing your PCI registration and getting certified will eliminate you from being billed this fee. 

How much will this cost me?

It is important to understand Payment Card Industry Data Security Standard (PCI DSS) compliance is something that all merchants who accept credit cards are responsible for regardless of who your processor may be. Unfortunately there are costs associated with becoming PCI DSS compliant. Nationwide is pleased to be able to offer our PCI program through Control Scan at a very competitive price. All merchants will be billed an annual PCI Support Fee of $99. This fee covers the overall cost for Control Scan to support our merchants in both becoming and maintaining their annual PCI DSS compliance as well as any required network scanning if applicable.    

Why is it that all service providers are not requiring that merchants participate in a PCI DSS Support Program at this time?

While validation is not yet required, PCI DSS Compliance is mandatory.  Many processors have already implemented or are in the process of implementing these types of programs.  It is expected that validation will be required industry wide in the near future.  Merchants should also consider why they would want to process with a company that does not take their data security seriously.  PCI DSS programs are designed to help protect cardholder’s information and assist merchants avoid fines and risk potentially negative exposure. With the recent compromises in data security, it is essential that merchants understand the value that these programs provide. 

Will a PCI DSS Support Fee apply to each location?

If determined that upon completion of the SAQ with ControlScan that each of your locations are handled the same way in regards to PCI DSS Compliance, and that each location is not using an IP terminal/software configuration it is possible that a single fee may apply. Based upon information provided by the merchant’s SAQ, individual locations may be responsible for a PCI DSS Support Fee.

What defines a multi-location merchant?

Multi-location merchants are defined as businesses that share the same Federal Tax ID.

Why haven't I heard from the card brands regarding PCI DSS Compliance?

The individual card brands are requiring that the Merchant Banks/Processors implement individual PCI DSS Compliance Program to educate merchants on compliance and ensure that they meet PCI DSS Compliance requirements. They have required that all Merchant Banks/Processors have a plan in place to ensure that all of their merchants obtain and maintain compliance with the standard. Most of the breaches you hear of in the news are large retailers, but many people do not realize that over 80% of compromises occur at small merchant locations.

How do I get started?

1. The first step is to click on the link "Get into Compliance" and answer a Self-Assessment Questionnaire (SAQ); this will tell us how you process credit cards. Your answers will determine what additional steps are necessary if any.
   • As part of the SAQ process, all merchants must confirm that a written security policy is in place (NPS/ControlScan's merchant portal will provide you with the required security policy for your business).
   • Merchants who come into contact with credit card data at any point in their daily routine are also required to have a Security Awareness Training program in place that informs their employees of the importance of data security (merchants can access a Security Awareness Training program in the NPS/ControlScan's merchant portal).
2. If you electronically store cardholder information or if your processing systems have any internet connectivity, you may be required to complete a passing vulnerability scan for each IP address you own. ControlScan is an approved and Certified Scanning Vendor (ASV) and will provide such scans as part of the program.  Note scanning does not apply to all merchants. 
3. Finally, each merchant must submit the SAQ, evidence of a passing scan (if applicable), and the Attestation of Compliance, along with any other requested documentation, to your acquirer. NPS/ControlScan will submit this information on your behalf as part of the program.

Can I switch to a new processor who doesn't require compliance?

All Acquirers are responsible for ensuring that all of their merchants comply with the PCI DSS requirements, therefore, all processors are required by the card brands to implement a PCI DSS Compliance Program. Connecting to a competing processor will NOT avoid the need to get into PCI DSS Compliance nor the fees involved. We have partnered with ControlScan based on the fact that they provide the best value for our merchants while providing full support to help you get into compliance.

How long is this going to take?

The time it takes to achieve compliance is dependent upon how you process credit card data. If a vulnerability scan is not required, achieving compliance can be completed in a short amount of time. This of course depends on your availability to work with ControlScan in completing the SAQ. In an effort to make the process go faster, NPS will provide toll-free support to assist you.

My shopping cart/payment gateway/processing is out-sourced, why is this my responsibility? If I am breached, wouldn't it be their fault?

Merely using a third-party software company does not exclude you from PCI DSS Compliance. It may cut down on their risk exposure and consequently reduce the effort to validate compliance.  However, it does not mean you can ignore the PCI DSS. All merchants are required to complete the SAQ annually.

Getting into compliance also addresses internal security practices and procedures behind handling credit card data. One of the leading causes of data breaches is due to employee error or carelessness when handling sensitive information. This is why proper policies should be in place and a formal Security Awareness Training should be conducted. Your business must protect cardholder data when you receive it. You must also ensure that your software provider's application and card payment terminals comply with respective PCI DSS standards and do not store sensitive cardholder data. You should request a certificate of compliance annually from such providers to ensure they are compliant. NPS can assist you with this.

My payment application is already compliant, what else do I need to do?

Utilizing a compliant software payment application is a best practice towards achieving compliance, but PCI DSS Compliance also covers data security, physical security and network security, therefore, you are still required to complete an annual PCI DSS Compliance Review via the NPS/ControlScan's merchant portal.

If I only accept credit cards over the phone, does PCI still apply to me?

Yes. All businesses that store, process or transmit payment cardholder data must be PCI DSS Compliant.

What is a network security scan?

A network security scan involves an automated tool that checks a merchant or service provider's systems for vulnerabilities. The tool will conduct a non-intrusive scan to remotely review networks and Web applications based on the external-facing Internet protocol (IP) addresses provided by the merchant or service provider.

The scan will identify vulnerabilities in operating systems, services, and devices that could be used by hackers to target the company's private network. As provided by an Approved Scanning Vendors (ASV’s) such as ControlScan the tool will not require the merchant or service provider to install any software on their systems, and no denial-of-service attacks will be performed.

Do I need vulnerability scanning to validate compliance?

If you electronically store cardholder data post authorization or if your processing systems have any internet connectivity, a quarterly scan by a PCI SSC Approved Scanning Vendor (ASV) is required.

Click here to view PCI-DSS scanning requirements

How often do I have to scan?

Every 90 days (once per quarter). Scans must be conducted by a PCI SSC Approved Scanning Vendor (ASV). ControlScan is a PCI Approved Scanning Vendor and will provide such reporting as needed on your behalf as part of the program.

I am a merchant that requires a vulnerability scanning. I am not technical; therefore, I cannot make changes to my system. What should I do?

Once you have completed your PCI DSS Registration, you may call ControlScan's toll-free support number as they will provide guidance in helping you understand the vulnerabilities found on your scan report, if any. ControlScan will make recommendations on how to correct the issue(s), and arrange additional scans if needed.

If I’m running a business from my home, am I a serious target for hackers?

Yes, home users are arguably the most vulnerable simply because they are usually not well protected. Adopting a 'path of least resistance' model, intruders will often zero-in on home users - often exploiting their 'always on' broadband connections and typical home use programs such as chat, Internet games and P2P files sharing applications. ControlScan’s scanning service allows home users and network administrators alike to identify and fix any security vulnerabilities on their desktop or laptop computers.

Where can I find the PCI Data Security Standards (PCI DSS)?

The Standard can be found on the PCI SSC's Website:
https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml