Fiserv holds cardholder security as a first priority. As a PCI-compliant payment processor, we continually invest in tools and technology to protect data and assist you in becoming compliant to minimize fraud and avoid penalties.
The Payment Card Industry Security Standards Council (PCI SSC): an industry body made up of organizations like Visa, Mastercard, American Express and Discover. The Council is how these companies cooperate to agree upon a single, common security standard that merchants are required to meet.
The actual security standard put together by the Council described in the first definition above. The full name for this standard is the Payment Card Industry Data Security Standard (PCI DSS). Merchants must meet this set of security requirements if their business accepts, transmits or processes customer payment cards, such as credit cards or debit cards.
First Data’s PCI compliance solutions help Canadian merchants quickly and easily validate PCI compliance and complete annual assessments to ensure they are meeting requirements, identify security gaps, and recommend solutions.
*A quarterly scan is required if you have any public IP address that connects to or can indirectly connect to the cardholder data environment.
PCI stands for Payment Card Industry, but usually means one of the following:
The Payment Card Industry Security Standards Council. This is an industry body made up of organizations like Visa, Mastercard, American Express and Discover. The Council is how these companies cooperate to agree upon a single, common security standard that merchants are required to meet.
The actual security standard put together by the Council described in the first definition above. The full name for this standard is the Payment card Industry Data Security Standard (PCI DSS). Merchants must meet this set of security requirements if their business accepts, transmits or processes customer payment cards, such as credit cards or debit cards.
PCI DSS stands for Payment Card Industry Data Security Standard. This is a technical and broad-ranging set of security requirements created by the Payment Card Industry, laying out what merchants need to do to protect customer information. The PCI Council requires that merchants meet this set of security requirements if their business accepts, transmits or processes customer payment cards, such as credit cards or debit cards. Merchants that do not comply with these requirements can be penalized in a number of ways, up to and including having their card-processing privileges revoked, leaving them unable to accept customer payment cards.
Click here to visit the PCI Council’s website for more information:
PCI DSS applies to ALL organizations or merchants, regardless of size, that accept, transmit, or store any payment card information. In other words, if any customer of that organization ever pays using a credit card or debit card, then the PCI DSS requirements apply.
To satisfy the requirements of PCI, a merchant must do two things:
It is important to note that being in compliance does NOT automatically mean that the merchant has met their validation requirement
The Self-Assessment Questionnaire (SAQ) is a form that merchants may be required to complete every year and submit to their Acquiring Bank. It was created by the PCI Council. Completing a Self-Assessment Questionnaire helps merchants do two things:
As of February 2008, there is no longer a single one size fits all Self-Assessment Questionnaire. Merchants now need to identify which one of five Validation Type categories they fit into, and then complete the appropriate Self-Assessment Questionnaire for their category. For some merchants, the appropriate Self-Assessment Questionnaire is short and simple, while for other merchants the appropriate Self-Assessment Questionnaire is long and extremely technical. Note that for all versions of the Self-Assessment Questionnaire, merchants will only be considered compliant if they pass (or can answer “Not Applicable”) to ALL of the questions in the Questionnaire.
Being “Compliant” means that the merchant meets all of the requirements laid out in the Payment Card Industry Data Security Standard. The requirements for compliance are the same for ALL merchants, large or small. However, smaller merchants typically avoid many of the compliance problems that larger organizations face, because their systems and networks are usually simpler.
Validation means that a Merchant can demonstrate, via standard documents and/or tests, that they are meeting the PCI DSS requirements. Different Merchant types face different validation requirements, depending on which of four levels they are assigned to.
No, PCI is not, in itself, a law. The standard was put together by business organizations including Visa, Mastercard and the other major card companies. Merchants that do not comply with PCI DSS are not necessarily breaking any law, but they are probably violating their Terms of Service or contract with their acquiring bank and the card associations. This means that the merchant might be penalized or sued, or these companies might refuse to work with the merchant. This means that the merchant would be unable to process credit or debit cards.
While not all businesses will require scans, if one is needed, a vulnerability scan is an automated, non-intrusive process that assesses the Merchant’s network and web applications from the Internet (on the external-facing IPs). The scan will identify any vulnerabilities or gaps that may allow an unauthorized or malicious user to gain access to the network and potentially compromise cardholder data.
If your business fails to become PCI compliant, you could be putting your business at greater risk from the growing threat of payment card data breaches and theft, which may result in substantial penalties (such as fines from banks, regulatory agencies, and card associations), fraud and charge backs, as well as legal costs and lost customers. If you fail to become PCI DSS compliant or to report your PCI DSS-compliant status with a third-party vendor to First Data, you may also be charged a monthly non-receipt of PCI validation fee by your Merchant Services provider until such time as you become PCI DSS-compliant or report your PCI DSS-compliant status to First Data.
If your business experiences a data security breach, you could even lose your ability to process credit card payments. Perhaps more importantly, you risk the loss of customers. Research shows that 43% of customers who have been victims of fraud stop doing business with the merchant where the fraud occurred.
Achieving PCI DSS compliance does not prevent a data security breach or compromise, or change the allocation of risk under your merchant agreement.
Complete a request for a call back and we'll be in touch as soon as possible. Our Sales Team is available to answer your questions at a time that works best for you.