PCI Compliance FAQ
The Payment Card Industry (PCI) Data Security Standard (DSS) is a set of requirements for enhancing payment account data security. These standards were developed by the PCI Security Standards Council, which was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa, Inc. to facilitate industry-wide adoption of consistent data security measures on a global basis. The standard aims to increase awareness and promote best practices in the handling of sensitive information as a means to minimizing identity theft and fraudulent transactions.
No. The framework of the PCI data security standards has existed in different forms for some time now and continues to evolve. You may be more familiar with the payment brands’ programs that promote the adoption of the PCI DSS
• MasterCard: Site Data Protection (SDP) program. Mastercard.com/sdp
• Visa: Cardholder Information Security Program (CISP) Visa.com/cisp
• Discover Network: Discover Information Security & Compliance (DISC) Discovernetwork.com/fraudsecurity/disc.html
• American Express: Data Security Operating Policy AmericanExpress.com/datasecurity
Yes, all merchants, whether small or large, need to be PCI compliant. The payment brands have collectively adopted PCI DSS as the requirement for organizations that process, store or transmit payment cardholder data. Inherent in having a merchant account is the ability to handle cardholder data.
No. Use of a PCI compliant payment application is one aspect of the many PCI DSS requirements, which cover handling of sensitive data. Currently, the PCI DSS lists twelve requirements.
These requirements are organized around the following principles:
• Build and maintain a secure network
• Protect cardholder data
• Maintain a vulnerability management program
• Implement strong access control measures
• Regularly monitor and test networks
• Maintain an information security policy
The Associations require all acquirers to report on the PCI compliance of their merchants. If you choose not to complete the self-assessment questionnaire, you may overlook certain data security practices that could increase your risk of a security breach. If your business fails to become PCI compliant, you could be putting your business at greater risk from the growing threat of payment card data breaches and theft, which may result in substantial penalties (such as fines from banks, regulatory agencies, and card associations), fraud and chargebacks, as well as legal costs and lost customers. If you fail to become PCI DSS compliant or to report your PCI DSS-compliant status with a third-party vendor to Fiserv, you may also be charged a monthly non-receipt of PCI Validation fine by your Merchant Services provider until such time as you become PCI DSS-compliant or report your PCI DSS-compliant status to Fiserv. If your business experiences a data security breach, you could even lose your ability to process credit card payments. Perhaps more importantly, you risk the loss of customers. Research shows that 43% of customers who have been victims of fraud stop doing business with the merchant where the fraud occurred.
NOTE: Achieving PCI DSS compliance does not prevent a data security breach or compromise, or change the allocation of risk under your merchant agreement.
Visit www.cloversecurity.com and instructions on the site will help you get started. Merchants will have phone, chat and email support that they may need to become PCI compliant and maintain PCI compliance.
Please contact Compliance Support (866-957-1807) or email [email protected].
The PCI compliance certificate is valid for one year from the date the certificate is issued. To maintain your compliance, you are required to complete the PCI DSS self-assessment questionnaire annually and conduct any applicable network scan on a quarterly basis.
As your service provider, we hope you will elect to use our Clover Security PCI Rapid Comply® Solution. However you are free to obtain PCI DSS compliance services from third-party vendors.
The benefits of using the Fiserv Clover Security PCI Rapid Comply® Solution are that it is offered by and integrated with your Merchant Services provider. The Clover Security PCI Rapid Comply Solution includes guided SAQ assistance to complete the annual questionnaire with ease, an integrated scanning tool for merchants that are required to pass scans and comprehensive support available via email and phone to ensure your questions get answered. If you choose to use another third-party vendor for PCI DSS compliance services, you will need to contract with and pay that vendor directly. In addition to your alternate vendor’s charges for PCI DSS compliance services, you still will need to pay the Compliance Services Fee charged to you by your Merchant Services provider. The Compliance Services Fee is not affected by your choice to use a third-party vendor. You will also need to ensure your PCI DSS compliance status is reported to Fiserv.
If you fail to become PCI DSS compliant or to report your PCI DSS-compliant status with a third-party vendor to Fiserv, you may also be charged a monthly non-receipt of PCI Validation fine by your Merchant Services provider until such time as you become PCI DSS-compliant or report your PCI DSS-compliant status.