PCI compliance is required for every business accepting credit cards, regardless of your payment processing method. We utilize ControlScan, an Approved Scanning Vendor (ASV) by the PCI Council, to assist you in understanding the requirements needed to validate and maintain PCI compliance.
Quick Links to Helpful Resources
PCI Compliance FAQS
What is PCI?
Any company with a Merchant ID (MID) that processes, stores or transmits credit card information must adhere to and comply with the PCI Data Security Standard (PCI DSS), created and updated annually by the PCI Security Council. Introduced on September 7, 2006, the Payment Card Industry Security Standards Council (PCI SSC) provides an actionable framework for developing a robust payment card data security process — including prevention, detection, and appropriate reaction to security incidents. The PCI DSS is administered and managed by the PCI SSC , which is independent of the major payment card brands (Visa, MasterCard, American Express, Discover and JCB). Card brands and acquirers are responsible for enforcing compliance, not the PCI Council.
To whom does PCI apply?
PCI applies to any business that accepts, transmits or stores any cardholder data.
Where can I find the PCI Data Security Standards (PCI DSS)?
The PCI DSS can be found at: https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
What are the PCI compliance levels and how are they determined?
There are four levels of PCI compliance as determined by Visa and MasterCard. These levels are based on the transaction volume (including credit, debit, and prepaid) over a 12-month period. Merchants that have been affected by a security breach which resulted in compromised card data may be escalated to the next level.
Merchant Level Description
- Any merchant processing over $6M Visa and/or MasterCard transactions per year.
- Any merchant processing $1M to $6M Visa and/or MasterCard transactions per year.
- Any merchant processing $20,000 to $1M Visa and/or e-commerce transactions per year.
- Any merchant processing less than $20,000 Visa and/or MasterCard e-commerce transactions per year, and all other merchants processing up to $1M Visa and/or MasterCard transactions per year.
What does a small-to-medium sized business (Level 4 merchant) have to do in order to satisfy the PCI DSS requirements?
The SMB merchant must complete the following steps to become PCI compliant:
- Determine which Self-Assessment Questionnaire (SAQ) your business should use to validate compliance. Click here to start the process.
- Complete the SAQ per the instructions.
- Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV). We utilize ControlScan. Note: Scanning does not apply to all merchants. It is required for SAQ A-EP, SAQ B-IP, SAQ C, SAQ D-Merchant and SAQ D-Service Provider.
- Complete the relevant Attestation of Compliance in its entirety (located in the SAQ tool).
- Submit the SAQ, evidence of a passing scan (if applicable), and the Attestation of Compliance, along with any other requested documentation, to Taylor Bank.
If I only accept credit cards over the phone, does PCI still apply to me?
Yes. All business that process, transmit or store credit card data must be PCI compliant.
My business has multiple locations; is each location required to validate PCI compliance?
Best practices would be to certify each merchant ID (MID) number individually. Some businesses choose to certify by multiple MID numbers under one entity. However, if multiple locations are certified under one entity and a compromise were to occur, all MID numbers are subject to forensic investigation, versus only the identified MID.
What are the penalties for noncompliance?
An acquiring bank may be fined by the card brands anywhere from $5,000 to $100,000 per month for PCI compliance violations. These fines are passed downstream to the merchant. In addition, your account is subject to many additional costs including lawsuits from cardholders and issuing banks, the reissuance of cards, brand damage and a required forensic investigation. Penalties are not openly discussed nor widely publicized, but they can be catastrophic to a small business.
What is a vulnerability scan?
A vulnerability scan is an automated tool that conducts a nonintrusive scan of a merchant or service provider’s system to remotely review networks and Web applications based on the external-facing Internet protocol (IP) addresses provided by the merchant or service provider. The scan pinpoints vulnerabilities in operating systems, services and devices that could be used by hackers to target the company’s private network. Approved Scanning Vendors (ASVs), like ControlScan, do not require the merchant or service provider to install any software on their systems, and no denial-of-service attacks will be performed.
How often do I need a vulnerability scan?
Those who meet the above criteria are required to submit a passing scan once per quarter. Scans must be conducted by a PCI SSC Approved Scanning Vendor (ASV), such as ControlScan.
What if I refuse to cooperate?
Here at Taylor Bank, we believe in the importance of PCI compliance to ensure the safety and security of electronic transactions. Merchants that do not comply with PCI DSS will be charged non-compliance fees, and are subject to fines, card replacement costs, costly forensic audits, brand damage, etc., should a breach event occur. PCI Compliance is mandated by the major card brands (Visa, MasterCard, Discover, AMEX and JCB), but is not enforced by any government entity or authority. PCI greatly helps you to reduce your risk of facing these extremely unpleasant and costly consequences.
If I’m running a business from my home, am I a serious target for hackers?
Yes — fraudsters will often target home users due to vulnerable broadband connections and typical home use programs like chat, Internet games and P2P file-sharing applications. ControlScan’s scanning service allows home users and network administrators alike to identify and fix any security vulnerabilities on their desktop or laptop computers.
What should I do if I’m compromised?
While there are many steps you can take to prevent card data breaches, unfortunately they can still occur to businesses of all types and sizes. If you believe you have been breached, contact Taylor Bank immediately.
In addition, here are some helpful resources:
For additional information or questions that are not addressed above please contact our Merchant Services Team at 410-641-1700.