PCI Compliance Frequently Asked Questions

Becoming compliant with the PCI (Payment Card Industry) DSS (Data Security Standard) is mandatory for any organization that transmits, stores or processes credit card information. The goal of PCI compliance is to strengthen the security of your organization from the inside out and protect sensitive cardholder data. Bluefin is dedicated to working in partnership with your organization to help you implement all required security measures. Please see below for frequently asked questions regarding PCI compliance.

Credit Card Pyment Security

What is the PCI Standard?

This PCI Standard, which is referred to fully as the PCI (Payment Card Industry) DSS (Data Security Standard), was formulated in 2006 to ensure that a comprehensive list of security standards to protect cardholder data was adopted globally. The payment brands (American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.) have mandated that all businesses that store, transmit or process cardholder information must maintain compliance with PCI DSS.

Who has to be PCI compliant?

All organizations that hold, process, or exchange cardholder information need to be compliant pursuant to the PCI DSS Security Standards Council – regardless of whether the organization does 2 transactions a year or 2 million transactions a year. Beyond the risk of incurring significant fines and penalties in the event of a data breach, merchants and service providers who refuse to secure their systems risk losing the trust of the clients with whom they have worked so hard to build a relationship.

Who is responsible for making sure I am compliant?

It is the responsibility of the both the Acquirer (in this case, Bluefin Payment Systems) and the merchant to ensure that PCI compliance is achieved. This is why Bluefin provides all of our merchants access to our PCI Compliance Assistance Service Program.

How does Bluefin Payment Systems assist me in becoming compliant?

Through our PCI Compliance Assistance Program, merchants get the tools, resources and guidance that will help them achieve compliance with the assistance of our Qualified Security Assessors (QSA) and Approved Scanning Vendors (ASV). Our PCI-certified partners will:

  • Work with you to conduct an analysis of your account
  • Guide you through the completion of your PCI DSS Self-Assessment Questionnaire (SAQ)
  • Assist with any necessary remediation efforts
  • Certify your compliance
  • Include (if applicable) the required quarterly scans of your processing systems.

What kind of compliance do I need to achieve?

Depending on the annual transactional volume processed and the point of sale systems used, organizations will have varying degrees of PCI compliance that they must achieve. This includes, but is not limited to: Annual Self-Assessment Questionnaire (SAQ), Annual Attestation of Compliance, and Quarterly Scans by a third-party vendor of any outward facing IP address(s). Your QSA will help you determine your compliance level.

How long does it take to become PCI compliant?

Once you have completed the SAQ that applies to your business, you will immediately be compliant.

How will Visa or MasterCard know whether I am PCI compliant?

Bluefin has the legal responsibility to electronically report each merchant’s PCI compliance progress to Visa, MasterCard, Discover, AMEX, and First Data on a monthly basis. Bluefin obtains this data through a number of sources: SAQ document submissions from our merchants stating their full compliance, passed vulnerability scan reports, and an open communication line between our internal Bluefin PCI department and our valued clients. Additionally, fines from the card brands for failing to comply with PCI security standards or failing to rectify a security failure can be severe – from $5,000 to $100,000 per month.

How will this Standard help my business?

Establishing mandatory industry-wide PCI security standards boosts consumer’s confidence that their information is being protected whether they are shopping at a large, well-known retailer or a small internet company. For example, if small internet companies developed a reputation for compromising cardholder data, it would have a devastating effect on all small internet companies regardless of how each individual company protects itself and its cardholders.

Since my gateway/terminal is already PCI certified – are you sure I need to be PCI compliant?

Having a PCI compliant terminal/ gateway is a requirement for becoming certified, but is only one of several requirements. All parties involved in processing a credit card transaction need to be PCI compliant.

I never see credit card information – are you sure I need to be PCI compliant?

Even if you personally never see credit card information, there could still be a security lapse in your system that could cause the credit card data to be compromised. PCI guidelines are designed to protect cardholder information from being leaked to criminals, not necessarily merchants.

What is the cost for maintaining PCI compliance through Bluefin Payment Systems?

Costs for our Compliance Assistance Program are assessed on a monthly and/or yearly basis and vary by account size. Please contact our customer service line for your specific costs, 800-675-6573, ext. 2.