Payment Card Industry Data Security Standard Compliance (PCI Compliance)
It’s Required, and It’s Good for Your Business!
Are you PCI compliant?
Your answer could mean the difference between business success and business disaster.
The number of data security breaches has dramatically increased in the past few years – and every business is at risk. To try to minimize the threat, the payment card industry is taking action.
• About 85 percent of data security breaches occur in Level 4 businesses with fewer than 20,000 card transactions annually
• Some businesses that experience breaches can be fined up to $500,000
The Bottom Line: All merchants that accept, process, transmit or store payment card information must now be PCI compliant. That means following a series of steps designed to minimize risk. And additional breach coverage may be purchased if you wish to more fully protect your business, in the event a breach occurs even after you are PCI compliant. Become compliant and help protect your business and your customers from dangerous data breaches – non-compliance could ruin your finances and your reputation.
Becoming – and Staying – PCI Compliant
Midwest BankCentre’s merchant provider, TransFirst has partnered with ControlScan, a leading provider of compliance services, to help you bring your business into compliance. Contact the Cash Management team or visit www.compliance101.com to learn more about compliance, fill out a Self-Assessment Questionnaire, complete a vulnerability scan (for some merchants) and find out if you’re compliant or need to make some changes.
Frequently Asked Questions
Q. What is PCI DSS compliance?
A. Payment Card Industry Data Security Standard – or PCI DSS – is a set of parameters established by the card industry that is designed to ensure that a secure working environment exists for all merchants that process, store or transmit credit, debit and pre-paid card information. All merchants that accept payment cards must follow these requirements to be considered compliant.
Q. What is the PCI program?
A. Our program is an easy way for merchants to find out if they are PCI compliant and, if they are not, to make the necessary adjustments to their businesses to reach compliance. TransFirst, Midwest BankCetre’s merchant provider has partnered with ControlScan, a leading provider of PCI compliance services, to assist Midwest BankCentre merchants with this process.
Q. How do I find out if my business is compliant?
A. Begin the process by visiting www.compliance101.com/PCI. Your merchant ID number is your user name, and your initial password is compliance101 (you will be prompted to create a new password after your first login). You will then be directed to fill out a Self-Assessment Questionnaire with information about your business. At that point, ControlScan will determine what steps you need to take to become compliant. TransFirst will work with ControlScan to keep you informed of any changes to the compliance requirements and to help you make any necessary changes to your business.
Q. What is the Self-Assessment Questionnaire?
A. The Self-Assessment Questionnaire (SAQ) is an intuitive, easy-to-use tool that ControlScan uses to collect information about your business practices and payment processing equipment. This information will then determine the specific steps you need to take to make your business PCI compliant. The SAQ was designed for computer users at any skill level and includes expert help text and real-life examples to guide you. The SAQ must be completed annually, and some merchants may need to complete a quarterly network security scan.
Q. Why is it important for merchants to be PCI compliant?
A. PCI compliance is a key factor in the industry’s attempt to stop data security breaches. Non-compliant merchants that experience security breaches are subject to:
• Mandatory forensic audit (even if breach is only suspected)
• Victim notification, card reissuance and chargeback costs
• Data loss and operations disruption
• Damage to reputation and brand
• Possible business closure
Fines for non-compliant merchants that experience a breach can be as high as $500,000 per occurrence. The future of your business may depend on compliance.
Q. You say all merchants must be PCI compliant. I’m a Level 4 merchant, with fewer than 20,000 card transactions annually. Do I need to be compliant?
A. Yes. All merchants at all levels are now required to be PCI compliant. Level 4 merchants are those that process fewer than 1 million transactions per year or fewer than 20,000 e-commerce transactions per year. At a recent industry summit, experts reported that hackers are now targeting small and mid-size businesses, believing that they are easier targets. In fact, industry reports say that approximately 85 percent of security breaches occur in Level 4 businesses. While every merchant may not need to follow every requirement, all merchants must determine what their requirements are and take steps to ensure their businesses are compliant.
Q. I don’t store magnetic strip data. Do I still need to be compliant?
A. Yes! While merchants that store magnetic strip data are particularly vulnerable to security concerns, any merchant can experience a data breach. Some have missing or outdated security patches, vendor-supplied default settings and passwords, SLQ injections by hackers, poor business practices or simple employee dishonesty or theft. Any or all of these conditions can lead to a security breach, even without stored magnetic strip data. Following the PCI DSS requirements for compliance greatly reduces the risk to your business.
Q. What is a network security scan, and do I need one?
A. The quarterly network security scan is part of the PCI compliance requirements for merchants that electronically store cardholder data after authorization, or for those who have any processing systems with Internet connectivity. If this is true for your business – this will be determined when you take the Self-Assessment Questionnaire at www.compliance101.com/PCI – you’ll need to have a passing scan through ControlScan once per quarter (approximately every 90 days). This scan will include your web, mail, application and domain name servers, as well as any virtual hosts or filtering devices. The scan will look for any security vulnerabilities in these areas, and ControlScan will provide you with guidance on how to make the necessary changes. You don’t need any additional software for the scan, but you will need to set your IPS to not block the scan.
Q. What is the cost for the program?
A. Merchants who are not compliant will be charged a fee of $28.80 per quarter. When a merchant completes the process of becoming compliant, the fee will drop to $18.80 per quarter. Please understand that all merchants will be charged this quarterly fee to cover the management of their compliance. The fee reduction will only occur upon completion of the compliance process; it is not retroactive to the beginning of the process.
Q. That seems like a lot of money to pay. Will other processors charge that fee?
A. Most already do charge, and many charge considerably more. Because PCI compliance is now mandatory for all merchants, all institutions will be responsible for their merchants’ compliance. Our program offers benefits that will help businesses become compliant and stay compliant.
Q. I’m concerned that I may still experience a security breach, and I can’t afford thousands of dollars in industry fines and expenses. Is there anything else I can do?
A. Yes. We offer a Data Breach Security Program, an innovative product designed specifically to help merchants meet the potentially devastating expenses that result from a suspected or actual breach of customers’ payment data. The program offers up to $100,000 per location of coverage against expenses if a security breach occurs. Contact our Midwest BankCentre Cash Management Team for more details.