1. What is the PCI DSS?
2. Am I obligated to comply with the PCI DSS?
3. Who in the organization is responsible for PCI compliance?
4. What if I only process a small amount of credit card transactions each year, do I still have to comply?
5. Do I only have to be compliant with the majority of criteria?
6. What are the potential consequences of non-compliance?
7. Who is at the greatest risk of a data breach?
8. How can I implement the necessary steps in my business to minimize the risk of a security breach and ensure PCI compliance?
9. How do I report my compliance?
10. What is the difference between a Qualified Security Assessor and an Approved Scanning Vendor?
11. Can’t I wait until my acquirer/credit card processor asks me to be compliant?
12. What is an Approved Scanning Vendor?
13. What is an Attestation of Compliance?
14. PCI compliance is just about technology, right?
15. Is there a vendor that can provide a solution to help franchisees with PCI compliance?
The PCI DSS, or Payment Card Industry Data Security Standard, was founded by the major credit card brands to enhance payment account data security. The PCI guidelines are here to help you minimize your risk of losing cardholder data and becoming breached.
Yes, PCI requirements apply to every merchant that stores, processes or transmits credit or debit card information. Businesses must adhere to the PCI DSS at ALL times per their Merchant Agreement or risk potential consequences.
The business owner is ultimately responsible (and 100% liable) for ensuring PCI compliance within the business. As the risk owner, they have a fiduciary and legal obligation to protect cardholder data within the business.
Although, this is a common misunderstanding with the standard, if you are a merchant and accept any type of payment card (credit, debit, gift cards, etc.) - then you need to become compliant.
Unfortunately, to become and remain compliant, you must be able to pass every requirement. Failing even one of the criteria, means you are not in compliance with PCI and are at risk to all of the costly consequences.
There are many costly consequences such as…
While any company that isn’t compliant is at risk, payment card breaches occur 2 out of 3 times in the food service industry. Smaller merchants are at the greatest risk because they are less likely to have the proper security measures to protect their customers and their business.
The first step in creating a proactive security environment is to create an Information Security Policy (ISP). An ISP, which provides guidelines and procedures to protect payment card data, is essential to keep your organization safe and compliant. For more steps to PCI compliance, click here.
The Self-Assessment Questionnaire (SAQ) is a validation tool put out by the PCI SSC and is intended to assist merchants in self-evaluating their compliance with the PCI DSS (and should be completed if not required to complete a Report on Compliance). There are multiple versions of the SAQ to address various payment processing scenarios. To determine your validation level, click here.
Qualified Security Assessors (QSA) are authorized to perform annual audits for merchants and service providers to document compliance with PCI. Approved Scanning Vendors (ASV) are authorized to perform the external quarterly vulnerability scans to show compliance with requirement 11.2 of the PCI Data Security Standard.
The compliance deadlines are long past. As the merchant, you are responsible for making sure you are in compliance today. Waiting until the acquirer/credit card processor asks you could be very costly indeed.
An Approved Scanning Vendor (ASV) is a security scanning vendor, certified by the Payment Card Industry Security Standards Council. Only an ASV, like SecureConnect, can provide the quarterly vulnerability scans needed for compliance.
The Attestation is your certification that you have performed the appropriate Self-Assessment Questionnaire and attest to your organization’s compliance status with the PCI DSS.
No! PCI Compliance is an overall business issue – so everyone needs to be aware of their role. All it takes is one employee that is not careful with a customer’s credit card or downloads a virus onto the back office computer without knowing it and a hacker could take advantage of that opportunity to access confidential information.
Yes! PCI compliance can be a difficult process with several technical components. With the SecureConnect PCI packages, merchants are presented with a comprehensive, turn-key solution to protect the payment card environment and maintain PCI compliance, all at a cost-effective price.
 |
 |
OurClients“
A security breach can have a devastating impact on the franchisee and the franchise system as a whole. For this reason we felt requiring our franchisees to have a consistent, comprehensive solution was the best approach for our system. ”
