PCI Compliance FAQ

This PCI Standard, which is referred to fully as the PCI (Payment Card Industry) DSS (Data Security Standard), was formulated in 2006 to ensure that a comprehensive list of security standards to protect cardholder data was adopted globally. The payment brands (American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.) have mandated that all businesses that store, transmit or process cardholder information must maintain compliance with PCI DSS.

All organizations that hold, process, or exchange cardholder information need to be compliant pursuant to the PCI DSS Security Standards Council – regardless of whether the organization does 2 transactions a year or 2 million transactions a year. Beyond the risk of incurring significant fines and penalties in the event of a data breach, merchants and service providers who refuse to secure their systems risk losing the trust of the clients with whom they have worked so hard to build a relationship.

It is the responsibility of the both the Acquirer (in this case, Bluefin Payment Systems) and the merchant to ensure that PCI compliance is achieved. This is why Bluefin provides all of our merchants access to our PCI Compliance Assistance Service Program.

Through our PCI Compliance Assistance Program, merchants get the tools, resources and guidance that will help them achieve compliance with the assistance of our Qualified Security Assessors (QSA) and Approved Scanning Vendors (ASV). Our PCI-certified partners will:

Depending on the annual transactional volume processed and the point of sale systems used, organizations will have varying degrees of PCI compliance that they must achieve. This includes, but is not limited to: Annual Self-Assessment Questionnaire (SAQ), Annual Attestation of Compliance, and Quarterly Scans by a third-party vendor of any outward facing IP address(s). Your QSA will help you determine your compliance level.

Once you have completed the SAQ that applies to your business, you will immediately be compliant.

Bluefin has the legal responsibility to electronically report each merchant’s PCI compliance progress to Visa, MasterCard, Discover, AMEX, and First Data on a monthly basis. Bluefin obtains this data through a number of sources: SAQ document submissions from our merchants stating their full compliance, passed vulnerability scan reports, and an open communication line between our internal Bluefin PCI department and our valued clients. Additionally, fines from the card brands for failing to comply with PCI security standards or failing to rectify a security failure can be severe – from $5,000 to $100,000 per month.

Establishing mandatory industry-wide PCI security standards boosts consumer’s confidence that their information is being protected whether they are shopping at a large, well-known retailer or a small internet company. For example, if small internet companies developed a reputation for compromising cardholder data, it would have a devastating effect on all small internet companies regardless of how each individual company protects itself and its cardholders.

Having a PCI compliant terminal/ gateway is a requirement for becoming certified, but is only one of several requirements. All parties involved in processing a credit card transaction need to be PCI compliant.

Even if you personally never see credit card information, there could still be a security lapse in your system that could cause the credit card data to be compromised. PCI guidelines are designed to protect cardholder information from being leaked to criminals, not necessarily merchants.

Costs for our Compliance Assistance Program are assessed on a monthly and/or yearly basis and vary by account size. Please contact our customer service line for your specific costs, 800-675-6573, ext. 2.