You lock your Bike. You lock your Car. You lock your Front Door. Well, now, you have to lock your Computers! The credit card companies want to help you to do everything you can to repel the onslaught of TCP/IP enabled burglars that are out there, stalking the internet for easy targets. Visa and MasterCard want you (and need you,) but they are not tolerant of negligence. Make your customers' credit cards and personal data safe, or you may get robbed... and if you do, it's YOUR FAULT.

Data theft is the "bad part" of the Internet. We all have seen the dangerous potential of the WEB: it is more than just a toy and a tool, it is a loaded gun. With PCI, the credit card industry is trying to keep us all (merchants, consumers and banks) from getting shot in the foot (or worse.) The PCI standards are guidelines that you need to conform to in order to assure the credit card companies that you are being careful.

Below, read some basic facts about PCI, and then clear up some misconceptions about it. And, by the way, who is responsible for your PCI compliance?

You. ( not Microsoft, not Norton, not the cable-guy.)

PCI F.A.Q.'S

What is PCI?

To whom does PCI apply?

Where can I find the PCI Data Security Standards (PCI DSS)?

What are the PCI compliance deadlines?

What are the PCI compliance 'levels' and how are they determined?

What does a small-to-medium sized business (Level 4 merchant) have to do in order to satisfy the PCI requirements?

What are the penalties for noncompliance?

What constitutes a payment application?

What is PA-DSS and PABP?

Do I need vulnerability scanning to validate compliance?

What is a network security scan?

What if a merchant refuses to cooperate?

If I'm running a business from my home, am I a serious target for hackers?

What should I do if I'm compromised?

PCI MYTHS

Myth:	I'm a small merchant who only takes a handful of cards, so I don't need PCI.
Myth:	PCI only applies to e-commerce companies.
Myth:	You only have to be PCI compliant with the majority of criteria.
Myth:	I only need to protect my credit card data, not ATM debit card related data.
Myth:	I can wait until my business grows.
Myth:	I can just answer 'yes' to all the criteria on the Self-Assessment Questionnaire (SAQ).
Myth:	I can wait until my bank asks me to be PCI compliant.
Myth:	As a merchant, I did not sign anything saying I would be compliant; therefore, I don't need to be.
Myth:	As a merchant, I'm entitled to store any data.
Myth:	A PCI-Validated POS product will make us compliant.

Myth:	PCI compliance is an IT project.
Myth:	PCI will make us secure.
Myth:	PCI is unreasonable; it requires too much.


Myth:	PCI is too hard.

Q: What is PCI?
A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process. The PCI DSS is administered and managed by the PCI SSC (www.pcisecuritystandards.org), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.).
It is important to note, the payment brands (Visa, Mastercard, etc.) and acquirers (your bank) are responsible for enforcing compliance.

**************************************

Q: To whom does PCI apply?
A: PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data.

**************************************

Q: Where can I find the PCI Data Security Standards (PCI DSS)?
A: The Standard can be found on the PCI SSC's Website:
https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

**************************************

Q: What are the PCI compliance deadlines?
A: All merchant that stores, processes or transmits cardholder data must be compliant NOW. However, as a Level 4 merchant, you will have to refer to your merchant bank for their specific validation requirements and deadlines. All deadline enforcement will come from your merchant bank.

**************************************

Q: What are the PCI compliance 'levels' and how are they determined?
A: All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As ('DBA'). In cases where a merchant corporation has more than one DBA, Visa acquirers must consider the aggregate volume of transactions stored, processed or transmitted by the corporate entity to determine the validation level. If data is not aggregated, such that the corporate entity does not store, process or transmit cardholder data on behalf of multiple DBAs, acquirers will continue to consider the DBA's individual transaction volume to determine the validation level.
Merchant levels as defined by Visa:

Merchant Level	Description
1	Any merchant -- regardless of acceptance channel -- processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
2	Any merchant -- regardless of acceptance channel -- processing 1M to 6M Visa transactions per year.
3	Any merchant processing 20,000 to 1M Visa e-commerce transactions per year.
4	Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants -- regardless of acceptance channel -- processing up to 1M Visa transactions per year.

* Any merchant that has suffered a compromise may be escalated to a higher validation level.

**************************************

Q:	What does a small-to-medium sized business (Level 4 merchant) have to do in order to satisfy the PCI requirements?

A: To satisfy the requirements of PCI, a merchant must complete the following steps:

Identify your Validation Type as defined by PCI DSS – see below . This is used to determine which Self Assessment Questionnaire is appropriate for your business.

Complete the Self-Assessment Questionnaire according to the instructions in the Self- Assessment Questionnaire Instructions and Guidelines.

Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV). Note scanning does not apply to all merchants. It is required for Validation Type 4 and 5 – those merchants with external facing IP addresses. Basically if you electronically store cardholder information or if your processing systems have any internet connectivity, a quarterly scan by an approved scanning vendor is required.

Complete the relevant Attestation of Compliance in its entirety (located in the SAQ tool).

Submit the SAQ, evidence of a passing scan (if applicable), and the Attestation of Compliance, along with any other requested documentation, to your acquirer.

I'm a small merchant with very few card transactions; do I need to be compliant with PCI DSS?

All merchants, small or large, need to be PCI compliant. The payment brands have collectively adopted PCI DSS as the requirement for organizations that process, store or transmit payment cardholder data.

**************************************

Q: What are the penalties for noncompliance?
A: The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on downstream till it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can catastrophic to a small business.

It is important to be familiar with your merchant account agreement, which should outline your exposure.

**************************************

Q: What constitutes a payment application?
A: The term payment application has a very broad meaning in PCI. A payment application is anything that stores, processes, or transmits card data electronically. This means that anything from a Point of Sale System to a Stand-Beside terminal are all classified as payment applications. Therefore any piece of software that has been designed to touch credit card data is considered a payment application.

**************************************

Q: What is PA-DSS and PABP?
A: PA-DSS refers to Payment Application Data Security Standard maintained by the PCI Security Standards Council. PABP is Visa's Payment Application Best Practices, which is now referred to as PA-DSS. Visa started the program and it is being transitioned to the PCI Security Standards Council (PCI SSC).

To address the critical issue of payment application security, in 2005 Visa created the Payment Application Best Practices (PABP) requirements to ensure vendors provide products which support merchants' efforts to maintain PCI DSS compliance and eliminate the storage of sensitive cardholder data. See www.visa.com/pabp for more information.

The Payment Card Industry Security Standards Council (PCI SSC) will maintain the PA-DSS and administer a program to validate payment applications' compliance against this standard. The PCI SSC now publishes and maintains a list of PA-DSS validated applications. See https://www.pcisecuritystandards.org/security_standards/pa_dss.shtml for more information.

VISA MANDATE PHASE DEADLINE

New PCI Level 4 merchants (including new locations of existing relationships) may not use vulnerable payment application versions – those that store prohibited cardholder data. January 1, 2008
New PCI Level 4 merchants using third-party payment software must be either PCI DSS-compliant or use PA-DSS validated compliant payment applications. October 1, 2008
ALL PCI Level 4 merchants (new and existing) using third-party software must use validated applications. July 1, 2010

**************************************

Q: Do I need vulnerability scanning to validate compliance?
A: If your processing systems have any internet connectivity, a quarterly scan by a PCI SSC Approved Scanning Vendor (ASV) is required.

**************************************

Q: What is a network security scan?
A: A network security scan involves an automated tool that checks a merchant or service provider's systems for vulnerabilities. The tool will conduct a non-intrusive scan to remotely review networks and Web applications based on the external-facing Internet protocol (IP) addresses provided by the merchant or service provider. The scan will identify vulnerabilities in operating systems, services, and devices that could be used by hackers to target the company's private network. The tool will not require the merchant or service provider to install any software on their systems, and no denial-of-service attacks will be performed.

**************************************

Q: What if a merchant refuses to cooperate?
A: PCI is not, in itself, a law. The standard was created by the major card brands such as Visa, MasterCard, Discover, AMEX, and JCB. At their acquirers/service providers discretion, merchants that do not comply with PCI DSS may be subject to fines, card replacement costs, costly forensic audits, brand damage, etc., should a breach event occur.

For a little upfront effort and cost to comply with PCI, you greatly help reduce your risk from facing these extremely unpleasant and costly consequences.

**************************************

Q: If I'm running a business from my home, am I a serious target for hackers?
A: Yes, home users are arguably the most vulnerable simply because they are usually not well protected. Adopting a 'path of least resistance' model, intruders will often zero-in on home users - often exploiting their 'always on' broadband connections and typical home use programs such as chat, Internet games and P2P files sharing applications.

**************************************

Q: What should I do if I'm compromised?
A: We recommend following the procedures outlined in Visa's" What to Do If Compromised
Visa Fraud Control and Investigations Procedures" document. Link below.

http://usa.visa.com/download/merchants/cisp_what_to_do_if_compromised.pdf

**************************************

Myth: I'm a small merchant who only takes a handful of cards, so I don't need PCI.
Fact: This is a common misunderstanding with the standard, that small merchants handling only one or a few credit cards a year are exempt from compliance. If you are a merchant and are set up to take credit cards by any mechanism - then you need to be compliant.

**************************************

Myth: PCI only applies to e-commerce companies.
Fact: No, PCI applies to every company that stores, processes or transmits cardholder information. In fact anyone who takes card present transactions that involve POS devices are typically more at risk than e-commerce solutions. Quite often these types of transactions involve storage of track data (which is forbidden under PCI). Compromise of this type of data may bring heavy fines and requests for compensation from the banks involved.

**************************************

Myth: You only have to be PCI compliant with the majority of criteria.
Fact: The pass mark for PCI is 100%, so if you fail even one of the criteria, you are not PCI compliant. The standard is not meant to be something to strive for; it is essentially a floor, a basis for further security measures. Failing to achieve even one of the requirements, is failing to meet a basic standard for handling cardholder information. All companies that routinely handle this type of data should be aiming to exceed the standard. It's just good business.

**************************************

Myth: I only need to protect my credit card data, not ATM debit card related data.
Fact: Incorrect - both are required. Many debit cards are dual-purpose 'signature debit', which can be used on debit and credit card networks. As such, they are covered under PCI and must be protected in the same way as credit cards.

**************************************

Myth: I can wait until my business grows.
Fact: Incorrect - the PCI standard applies to all sizes of business and waiting could be costly. Should you be compromised and not be PCI compliant, the fines and the compensation requirements by the banks (it typically costs between $50 and $90 to replace one card) could be substantial.

**************************************

Myth: I can just answer 'yes' to all the criteria on the Self-Assessment Questionnaire (SAQ).
Fact: The Self-Assessment Questionnaire (SAQ) is a mechanism for getting the information about the level of your compliance to your merchant bank. The standard applies at all times. Just saying yes to the questions puts you at great risk. If a compromise took place and it was obvious that you were not and have never been PCI compliant, the matter would be taken very seriously. You would be risking your whole business by answering 'yes' to the questions, when there is no factual basis for the answers.

**************************************

Myth: I can wait until my bank asks me to be PCI compliant.
Fact: The dates for merchants to be PCI compliant are long gone. You are responsible for making sure you are in compliance. Waiting until the bank asks you could be very costly indeed.

**************************************

Myth:

As a merchant, I did not sign anything saying I would be compliant; therefore, I don't need to be.

Fact: The PCI standard forms part of the operating regulations that are the rules under which merchants are allowed to operate merchant accounts. The regulations signed when you open an account at the bank state that the VISA regulations have to be adhered to. Even if you have been in business for decades, PCI still applies if you store, process or transmit credit cards.

**************************************

Myth: As a merchant, I'm entitled to store any data.
Fact: Many merchants believe that they own the customer and have a right to store all the data about that customer in order to help their business. Not only is this incorrect regarding PCI, it may also be a violation of State and Federal legislation regarding privacy. The PCI regulations specifically forbid storing of any of the following:

Unencrypted credit card number
CVV or CVV2
Pin blocks
PIN numbers
Track 1 or 2 data

Any of the above found in databases, log files, audit trails, backup's etc. can result in serious consequences for the merchant, especially if a compromise has taken place.

**************************************

Myth: A PCI-Validated POS product will make us compliant.
Fact: Many vendors offer an array of software and services for PCI compliance. No single vendor or product, however, fully addresses all 12 requirements of PCI DSS. When your purchasing focuses on one product's capabilities and excludes the other requirements of PCI DSS, the resulting perception of a 'silver bullet' might lead some to believe that the product provides 'compliance', when it's really implementing just one piece of the standard. Instead of relying on a single product or vendor, you should implement a holistic security strategy that focuses on the 'big picture' related to the intent of PCI DSS requirements.

**************************************

Myth: PCI compliance is an IT project.
Fact: The IT staff implements technical and operational aspects of PCI-related systems, but compliance to the payment brand's programs is much more than a 'project' with a beginning and end – it's an ongoing process of assessment, remediation and reporting. PCI compliance is a business issue that is best addressed by a multi-disciplinary team. The risks of compromise are financial and reputational, so they affect the whole organization. Be sure your business addresses policies and procedures as they apply to the entire card payment acceptance and processing workflow.

**************************************

Myth: PCI will make us secure.
Fact: Successful completion of a system scan or assessment for PCI is but a snapshot in time. Hacker's are relentless and get stronger every day, which is why PCI compliance efforts must be a continuous process of assessment and remediation to ensure safety of cardholder data.

**************************************

Myth: PCI is unreasonable; it requires too much.
Fact: Most aspects of the PCI DSS are already a common best practice for security. The standard also permits the option using compensating controls to meet some requirements. The standard provides significant detail, which benefits merchants and processors by not leaving them to wonder, 'Where do I go from here?' This scope and flexibility leads some to view PCI DSS as an effective standard for securing all sensitive information.

**************************************

Myth: PCI is too hard.
Fact: Understanding and implementing the 12 requirements of PCI DSS can seem daunting, especially for merchants without security or a large IT department. However, PCI DSS mostly calls for good, basic security. Even if there was no requirement for PCI compliance, the best practices for security contained in the standard are steps that every business would want to take anyways to protect sensitive data and continuity of operations. There are many products and services available to help meet the requirements for security – and PCI compliance.

When people say PCI is too hard, many really mean to say compliance is an expense. The business risks and ultimate costs of non-compliance, however, can vastly exceed implementing PCI DSS – such as fines, legal fees, decreases in stock equity, and especially lost business. Implementing PCI DSS must be part of a sound, basic enterprise security strategy, which requires making this activity part of your ongoing business plan and budget.

**************************************

Call Us Now

California 1-800-540-2149

Las Vegas 1-702-678-6111

Arizona 1-888-895-7609

Anywhere in the U.S 1-619-286-2100

Free Consultation & Quote

WHY Buy From Us?

Premier Reputation

Serving our clients since 1975

Quality Systems

24/7 emergency call line

Superior Field Service, Support and Training

Saves you time, money -- keeps you up and running

Extended Service & Support Contracts

More About Us

FAQs

Free 24-hour help line: San Diego & California: 1-800-540-2149, Las Vegas: 1-702-678-6111 ,
Phoenix & Arizona: 1-888-895-7609, Anywhere in the U.S: 1-619-286-2100,
Call Now For Free Consultation & Quote

• POS Dealers • NCR Workstation • Fujitsu POS Workstation • CA POS Dealer • SHARP Cash Registers Point of Sale • POS systems retail • POS Cash Register • Point of Sale Cash Drawer • SHARP POS Cash Register • POS Printers • POS Cash Registers • POS Cash Drawers Cloud Software • EPSON POS Printers • Purchase LaneHawk • BOB Grocery Checkout Stop Loss Prevention • Buy Metal Grocery Carts • POS Cash Register • Software as a Service - SaaS • Wireless Point of Sale • Installation Microsoft Software • Point of Sale Security • Bar, Pizza, Nightclub POS • Printer thermal paper • POS Scanner • Buy POS Refills • Handheld Barcode Scanner • Phoenix POS Systems • POS Support, Maintenance, Service • Southwest POS CA, NV, AZ Address Authorized Dealer • About POS Supply Company • Southwest POS Team • Retail POS systems • CA POS Dealer FAQ • Las Vegas POS Equipment • San Diego POS Systems • POS Online Store • POS Supplies List of Items Available Online • Point of Purchase • Las Vegas POS Hardware Security measures for POS, PCI, Hospitality and food service POS Software, pizza delivery, bars, nightclubs, quick service, mobile, save time and money