What You Should Know About PCI Compliance
You may have seen the acronym PCI DSS or heard the term "PCI compliance," but you aren't sure exactly what they mean. Here is a primer to help you better understand their meaning and the importance of PCI compliance for merchants.
PCI DSS stands for the Payment Card Industry Data Security Standard, which is administered and managed by the PCI Security Standards Council. The PCI DSS establishes basic security procedures for credit and debit card processing. All merchants that process, store or transmit credit and debit card information must demonstrate that they do so within a secure environment that meets the PCI DSS security requirements.
Completing the SAQ
To demonstrate that they are in PCI compliance, merchants must complete what is known as a Self-Assessment Questionnaire (or SAQ). This is a tool to help merchants self-evaluate their compliance with the PCI DSS. Several different versions of the SAQ are available, depending on the type of merchant business and other factors. For more details, visit https://www.pcisecuritystandards.org/merchants/self_assessment_form.php.
SAQs are comprised of a series of questions appropriate to merchants about their security practices that correspond to the PCI DSS security requirements. An Attestation of Compliance will accompany the SAQ - merchants must complete and return it to certify that they have performed the appropriate SAQ and are PCI compliant.
In addition, merchants that use POS software with Internet access to process credit and debit cards must also perform an External Vulnerability Scan (or Network Scan). This scan must be performed by an Approved Scanning Vendor (ASV). You can access a list of approved ASVs at https://www.pcisecuritystandards.org/qsa_asv/find_one.shtml.
Included on this list is Trustwave®, with whom PNC Merchant Services® has partnered to provide validation services at a preferred price.
All Merchants Must Comply
Note that all merchants that accept credit and debit cards must demonstrate PCI compliance by following these steps, regardless of their card processing volume. PCI DSS certification is valid for one year for merchants that only must complete an SAQ and for three months for merchants that must perform a Network Scan, at which time they must perform another scan.
PNC Merchant Services is required to report on the PCI compliance status of all our merchant customers. Merchants that do not validate PCI compliance may be subject to substantial fines if their customers' payment data is compromised, as well as have to pay any expenses and the cost of fraudulent transactions that may occur due to the security breach.
Questions? Learn more basic tips on getting started with data security. Or, contact PNC Merchant Services Customer Service at 1-800-742-5030.