PCI Compliance: Protecting Cardholder Data

 

What is PCI Compliance?
All businesses that store, process or transmit payment cardholder data must be PCI Compliant and follow the Payment Card Industry (PCI) Data Security Standards (DSS). The Payment Card Industry Security Standards Council (PCI SSC) was launched in 2006 by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB). The PCI SSC developed a set of security standards (DSS) to help businesses properly handle cardholder data and maintain a secure environment.

Why Do I Need To Be Compliant?
Have you ever been contacted by your financial institution and notified that your credit card information has been compromised? This is why businesses who process credit cards must handle the cardholder data securely. The PCI Data Security Standards (DSS) are guidelines so that you and your employees as well as your network, computers and web systems handle cardholder data in a manner that helps prevent the data from be accessed by unauthorized persons or systems. New merchant accounts have 90 days to complete their security assessment. Non-compliance fees may be billed to merchants who do not complete the PCI assessment.

What's involved in becoming PCI Compliant?
Most small business fall into the category 'Merchant Level 4' since they process less than 20,000 Visa transactions per year. For these merchants they have to do the following:

  • Determine which self-assessment Questionnaire (SAQ) your business should use to validate compliance.
  • Complete the relevant SAQ and then the Attestation of Compliance (AOC).
  • Optionally run a network/computer scan if required for your business profile.
PCI Compliance Credit Card Processing
Current Merchants:
Need Help? Call 1-888-534-3555

 

What Compliance Tools Do You Provide?

Our merchants have access to a fully-functional compliancy toolkit. Along with the dedicated account tools you will have access to our team to help walk you through your PCI Compliance steps as well as the experts at Elavon.

Your dedicated Compliance Portal has the following:

  • Portal Login and Dashboard
  • Step by step profile questionnaire
  • Complete SAQ completion guide
  • Scanning tools for your network and computers
  • Scanning scheduler for recurring scans
  • Manage and view scanning history
  • Upload and manage compliance documents
PCI Compliance

 

Which SAQ is Applicable for My Business?

The vast majority of businesses that have payment processing accounts and websites through Website Express will qualify for the easiest SAQ-A unless they also have a brick-n-mortar storefront. Our website payment forms and eCommerce solutions utilize PCI DSS validated, third-party service provider hosted payment pages in order to minimize your PCI compliance burden.

However, you will need to complete your business profile in order to know exactly which SAQ is applicable for your business.


 

Let's look at the SAQs

Small businesses (merchant level 4) can attest to their own compliance and can use the SAQs. Large businesses however, usually have to hire a third-party compliancy consultant. Depending on how your small business processes credit cards and the equipment used will determine which SAQ applies to your business.

Here are the PCI DSS self-assessment questionnaires (SAQs)

  • SAQ A (22 Questions)
    Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS validated third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
    Not applicable to face-to-face channels.
  • SAQ A-EP (191 Questions)
    E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
    Applicable only to e-commerce channels.
  • SAQ B (41 Questions)
    Merchants using only: Imprint machines with no electronic cardholder data storage; and/or Standalone, dial-out terminals with no electronic cardholder data storage.
    Not applicable to e-commerce channels.
  • SAQ B-IP (82 Questions)
    Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage.
    Not applicable to e-commerce channels.
  • SAQ C-VT (79 Questions)
    Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage.
    Not applicable to e-commerce channels.
  • SAQ C (160 Questions)
    Merchants with payment application systems connected to the Internet, no electronic cardholder data storage.
    Not applicable to e-commerce channels.
  • SAQ P2PE-HW 33 Questions)
    Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage.
    Not applicable to e-commerce channels.
  • SAQ D-Merchant (329 Questions)
    All merchants not included in descriptions for the above SAQ types.
  • SAQ D-Service Provider (329 Questions)
    All service providers defined by a payment brand as eligible to complete a SAQ.

Newsletter

Sign up for Our Newsletter and receive all of our latest promos and deals, as well as our latest industry articles sent right to your email!


    Location:
    35 S Main St., Suite B
    Kalispell, MT 59901
    Toll Free: 1-888-534-3555
    Local: (406) 890-2667
    We Accept: Website Express Accepts All Major Credit Cards
    SSL Encryption