FAQs

PCI Compliance Frequently Asked Questions

Q: What is PCI DSS (Payment Card Industry Data Security Standard?

A: PCI DSS (Payment Card Industry Data Security Standard) has been established through the formation of the Security Standards Council in September of 2006 (Visa Inc., MasterCard Worldwide, Discover Financial Services, American Express and JCB International) to govern the acceptance, storage and transfer of credit card information in the United States. "PCI Compliant" is the typical terminology used in the credit card industry for complying with the standard established by the Security Standards Council. More information can be found at PCI Security Standards Council.

Q: How does PCI Compliance affect me and what are my responsibilities as a merchant?

A: The standard applies to all parties involved in the handling of credit cards, including merchants, Property Management Systems (PMS), Point of Sale (POS) providers, middleware (gateway) companies, and credit card processors. The merchant's responsibility is for the merchant itself to become PCI Compliant and for all payment applications used by the merchant to be PCI Compliant. Failure to become PCI Compliant can result in significant penalties.

Q: How do I become PCI Compliant?

A: As a merchant, you must complete the Self Assessment Questionnaire (SAQ) for each specific Merchant ID and answer each question to the affirmative. There are different SAQ's specific to your merchant category. If you cannot answer "yes" to each question on the SAQ, the issue must be corrected before becoming PCI Compliant. The SAQ must be completed on an annual basis as the industry is constantly evolving.

^ back to top

Q:Am I required to perform periodic vulnerability scanning?

A: Vulnerability scanning (computer scan for known vulnerabilities on your network) is required for merchants utilizing internet payment applications such as virtual terminals, Point of Sale credit card interfaces or IP or wireless terminals. The SAQ will inquire about the specific payment application(s) that the merchant is using. If an internet payment application is being used, the merchant will be notified that scanning is required on a quarterly basis. Only Security Standards Council third party Approved Scanning Vendors (ASV) may be used. Once a merchant has been successfully scanned, the merchant will receive a record of the approval.

Q: What is my responsibility as a merchant for the payment applications or terminals that I use?

A: As a merchant, you are responsible for ensuring that the payment applications and terminals used are PCI Compliant. Beginning July 2010, the Security Standards Council has mandated that all payment applications and terminals must be PCI Compliant. Failure at that time to be compliant could result in discontinuation of the merchant's ability to process credit cards and/or other severe penalties.

Q: What are the penalties for a merchant that is not PCI Compliant?

A: Visa PCI Non-compliance fines begin at $5000 per month and can be significantly higher, depending on severity. MasterCard fines are usually lump sum. A data compromise could result in further fines by Visa and MasterCard to recover monetary losses suffered by credit card issuers affected by the breach. In other words, stolen cards are used for transactions after they are stolen. American Express has posted fines beginning at $50,000 for PCI Non-compliance.

^ back to top

Q: Should I experience a security breach, and card data is compromised, what is my exposure as a merchant?

A: More financially significant than PCI Non-compliance fines, a data compromise could result in Visa fines for Account Data Compromise Recovery (ADCR). ADCR pertains to domestic issued cards, and/or Data Compromise Recovery Solution (DCRS), which pertains to international issued cards. Credit card issuers often experience severe losses as a result of stolen credit card numbers being used for fraudulent transactions. The merchant where the breach occurred is held responsible and ADCR/DCRS fines represent a partial recovery of those losses suffered by the issuers (These fines can run in the hundreds of thousands of dollars). A merchant's reputation and brand image can often be tainted by experiencing a breach. Experiencing a breach may lead to permanent inability to accept credit cards.

Q: How about MasterCard fines?

A: MasterCard levies fines for wrongful storage of magnetic stripe data and wrongful disclosure of account data. These fines are typically one-time fines substituted for Visa's PCI Non-compliance fines. MasterCard does not have a program similar to Visa's ADCR or DCRS. However, MasterCard issuers utilize the chargeback system to recoup losses resulting from fraudulent transactions and the reissuance of credit cards. Some issuers are more aggressive in pursuing monies via chargebacks while other issuers are less active.

For further information please contact our FrontStream Payments PCI Compliance personnel at 800.687.8505 or email our PCI Compliance team.

^ back to top