Table of Contents
What are SAQ forms in the Questionnaire?. 2
What Happens if Company is Found to be Non-Compliant?. 3
Fullsteam’s Engagement with SecurityMetrics. 3
Summary of SecurityMetrics Breach Protection and PCI Compliance Benefits: 4
What Happens When a Merchant Does Not Complete the Program.. 4
What if the Merchant Has Questions?. 4
What if Fullsteam needs to contact or escalate directly to someone at SecurityMetrics?. 4
What is PCI compliance?
Payment card industry (PCI) compliance is a core component of any credit card company's security protocol and is mandated by credit card companies and enforced through law and in credit card networks (VISA, MasterCard, Discover, American Express) agreements.
PCI compliance standards require merchants and other businesses to handle credit card information in a secure manner that helps reduce the likelihood that cardholders would have sensitive financial account information stolen. If merchants do not handle credit card information according to PCI Standards, the card information could be hacked and used for a multitude of fraudulent actions. Additionally, sensitive information about the cardholder could be used in identity fraud. Without PCI compliance, companies are highly vulnerable to theft, fraud, and data breaches.
These PCI standards for compliance are developed and managed by the PCI Security Standards Council. A company’s compliance is gauged by how it consistently adheres to a set of guidelines set forth by this council. There are 12 key compliance requirements:
Build and Maintain a Secure Network
1. Install and maintain firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters, e.g., set appropriate password protection (such as 2FA)
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt of transmitted cardholder data
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software or programs
6. Utilize antivirus and anti-malware software
Implement Strong Access Control Measures
7. Unique IDs assigned to those with access to data
8. Restrict physical access to data storage
9. Create and monitor access logs
Regularly Monitor and Test Networks
10. Update software and maintain security systems on a regular basis
11. Test security systems on a regular basis
Maintain an Information Security Policy
12. Create a policy that is documented and that can be followed
What is “PCI scope?”
PCI Scope is nothing but part of the merchant’s environment that must meet the 12 requirements stated within the PCI Data Security Standard (DSS) – listed above. The scope is a combination of people, processes, and technologies that interact with or could otherwise impact the security of cardholder data (CHD).
Each merchant’s scope also depends on the type of organization or industry they are a part of. Each entity (MID) must be assessed individually for its role in PCI compliance.
Based on how the merchant completes the PCI scope will determine how the merchant will be audited; therefore, questionnaires will populate the applicable forms. Service Providers, for example, are audited against the entire Data Security Standard. Merchants have several Self-Assessment Questionnaires forms (SAQs A – D) categorizing the various infrastructure configurations to cover the potential methods merchants use to accept cardholder data. The idea is for merchants to complete any combination of the reduced SAQs (A – C) or to complete one SAQ D.
What are SAQ forms in the Questionnaire?
A PCI Self-Assessment Questionnaire (PCI SAQ) is a merchant's statement of PCI compliance. It's a way to show that you're taking the security measures needed to keep cardholder data secure at your business. Each SAQ includes a list of security standards that businesses must review and follow. PCI SAQs vary in length.
PCI SAQ A - is for e-commerce/mail/telephone-order (card-not-present) merchants that have fully outsourced all cardholder data functions.
These merchants have no electronic storage, processing, or transmission of any cardholder data on the merchant's systems or premises.
PCI SAQ B - companies that physically perform card-related transactions, or if you carry out card-not-present transactions such as mail/phone orders without storing card data on any terminal device. Click the link for more information: https://www.pcidssguide.com/pci-saq-b/.
PCI SAQ C – companies who process cardholder data using point of sale (POS) systems or other internet-connected payment application systems, and do not store cardholder data on any computer system. This is a long-form consisting of 160 questions. Click the link for more information: https://www.pcidssguide.com/pci-saq-c/.
PCI SAQ C-VT - applies to businesses that process payments through virtual payment terminals.
PCI SAQ D – applies to all types of merchants and service providers who store cardholder data digitally. This is the same form for both merchants and service providers and is the broadest scope consisting of 329 questions.
For more information on the SAQ and their descriptions: https://listings.pcisecuritystandards.org/documents/Understanding_SAQs_PCI_DSS_v3.pdf
Click here for additional assistance with SAQ questions.
What Happens if Company is Found to be Non-Compliant?
- Fines are issued by each card brand network (Visa, MasterCard, Discover, American Express), as applicable
- Acquiring banks can withdraw the ability to accept card payments from non-compliant merchants
- PCI DSS breach is also a General Data Protection Regulation (GDPR)
- Enforcement action
Fullsteam’s Engagement with SecurityMetrics
Fullsteam is launching an important initiative to ensure compliance with PCI requirements, due to our contractual obligations with our processor. All merchants using Fullsteam’s payment processing solution are required to complete PCI compliance and comply with PCI standards.
To facilitate this process, Fullsteam has partnered with SecurityMetrics to provide the necessary tools and support for achieving PCI compliance FullsteamPay has partnered with SecurityMetrics to include an easy way to complete the PCI Self-Assessment Questionnaire (SAQ) and obtain an Attestation of Compliance (AOC). The cost of PCI software tools will be charged to our merchants as a part of the subscription fee.
The monthly PCI and breach protection fee varies by software brand and started August 1, 2023, for most merchants. For those merchants that fail to certify their PCI compliance by October 1, 2023, will be subject to a $29.95 monthly PCI non-compliance fee, which will continue until the merchant achieves PCI certification. Security Metrics also provides additional services mentioned below.
SecurityMetrics has a PCI Management Portal which FullsteamPay users will be able to access through the SecurityMetrics portal. This portal provides merchants with a simple, step-by-step approach to attain PCI compliance. Users will be guided through the completion of their SAQ and once finished, will be able to generate their certificate of compliance. In addition, SecurityMetrics offers breach insurance, giving your merchants additional peace of mind. For additional information on how it works: PCI DSS Compliance Program with SecurityMetrics Pdf.
Summary of SecurityMetrics Breach Protection and PCI Compliance Benefits:
- Access to PCI Experts: US-based PCI experts available 24x7x365; that help simplify compliance tasks and guide you through the PCI questionnaire.
- Quarterly Vulnerability Scans: Provides vulnerability scanning software for your digital infrastructure.
- Breach Protection: Up to $100,000 of breach protection from North American Data Security, once certification is complete.
What Happens When a Merchant Does Not Complete the Program
If a merchant does not complete the SecurityMetrics Compliance Program a monthly PCI Non-Compliance Fee will be applied to the merchant’s monthly credit card processing statement until the compliance program is completed. The PCI Non-Compliance fee is collected to demonstrate our obligation to hold merchants accountable to protect cardholders’ personal data.
For those merchants that fail to certify their PCI compliance by the designated time, they will be subject to a $29.95 monthly PCI non-compliance fee, which will continue until the merchant achieves PCI certification.
What if the Merchant Has Questions?
Agents should use the available macros listed in the article for assistance.
The Security Metrics Team is the best resource to help answer your questions regarding the PCI compliance fee questions, concerns and completing the Security Metrics Compliance Program. Their US-based team is available 24x7x365 to assist via the phone number and email address listed below:
Security Metrics Compliance Email: support@securitymetrics.com
Security Metrics Compliance Phone Number: (801) 995-6400
Merchants can also review your inbox and locate the Security Metrics welcome email and follow the instructions to set up your account.
What if Fullsteam needs to contact or escalate directly to someone at SecurityMetrics
Rob Horn robh@securitymetrics.com
Glossary
The PCI DSS self-assessment questionnaires (SAQs) - are validation tools intended to assist merchants and service providers report the results of their PCI DSS self-assessment. There is a total of 9 available SAQs on the PCI Council Website, each with different eligibility standards.
The Attestation of Compliance (AOC) form - is the final report of the audit performed by a Qualified Security Assessor to ensure that the business is compliant with the PCI. Merchants and service providers may show this form as proof of their PCI DSS compliance.
Payment card industry compliance - the technical and operational standards that businesses follow to secure and protect credit card data provided by cardholders and transmitted through card processing transactions.
PCI DSS - Payment Card Industry Data Security Standards are the standards companies must follow and achieve to be PCI compliant. These standards apply to merchant processing and have also been expanded to outline requirements for encrypted Internet transactions.
National Automated Clearing House (NACHA) – is a non-profit organization that represents more than 9,000 financial institutions and is a key entity associated with standard-setting in the credit card industry.
The Card Association Network - another key entity associated with standard-setting in the credit card industry.
PCI Security Standards Council – the group that develops and manages the Payment Card Industry Data Security Standards (PCI DSS)
General Data Protection Regulation (GDPR) - is a law that sets guidelines for the collection and processing of personal information from individuals.
Two-Factor Authentication (2FA) - is an extra layer of protection used to ensure the security of online accounts beyond just a username and password.
Comments
0 comments
Please sign in to leave a comment.