PCI DSS Compliance Frequently Asked Questions

Becoming compliant with the PCI (Payment Card Industry) DSS (Data Security Standard) is mandatory for any organization that transmits, stores or processes credit card information. The goal of PCI compliance is to strengthen the security of your organization from the inside out and protect sensitive cardholder data. Bluefin is dedicated to working in partnership with your organization to help you implement all required security measures. Below are answers to frequently asked questions regarding PCI compliance.

Credit Card Pyment Security

What is the PCI Standard?

This PCI Standard, which is referred to fully as the PCI (Payment Card Industry) DSS (Data Security Standard), was formulated in 2006 to ensure that a comprehensive list of security standards to protect cardholder data was adopted globally. The PCI compliance certification is the certification given to an organization that meets the standards set forth in the PCI DSS.

The payment brands (American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.) have mandated that all businesses that store, transmit or process cardholder information must maintain compliance with PCI DSS.

Who needs to be PCI compliant?

All organizations that hold, process, or exchange cardholder information need to be PCI compliant – regardless of whether the organization does 2 transactions a year or 2 million transactions a year.

Beyond the risk of incurring significant fines and penalties in the event of a data breach, merchants and service providers who refuse to secure their systems risk losing the trust of the clients with whom they have worked so hard to build a relationship with.

Who is responsible for making sure I am compliant?

It is the responsibility of the both the Acquirer (in this case, Bluefin) and the merchant to ensure that PCI compliance is achieved. This is why Bluefin provides all of our merchants access to our PCI Compliance Assistance Service Program.

How do I become PCI compliant?

You can become PCI compliant through our PCI Compliance Assistance Program. Merchants get the tools, resources and guidance that will help them achieve compliance along with the assistance of our Qualified Security Assessors (QSA) and Approved Scanning Vendors (ASV). Our PCI-certified partners will:

  • Work with you to conduct an analysis of your account
  • Guide you through the completion of your PCI DSS Self-Assessment Questionnaire (SAQ)
  • Assist with any necessary remediation efforts
  • Certify your compliance
  • Include (if applicable) the required quarterly scans of your processing systems

What kind of PCI compliance do I need to achieve?

Depending on the annual transactional volume processed and the point of sale systems used, organizations will have varying degrees of PCI compliance that they must achieve. This includes but is not limited to: Annual Self-Assessment Questionnaire (SAQ), Annual Attestation of Compliance, and Quarterly Scans by a third-party vendor of any outward facing IP address(s). Your QSA will help you determine your compliance level.

How long does it take to become PCI compliant?

The amount of time it takes to become PCI compliant varies based on your current payment processing setup and what changes you need to make to become PCI compliant, but can be completed in as little as 1 day to 2 weeks. Once you have completed the SAQ that applies to your business, you will immediately be compliant.

How will credit card companies know I am PCI compliant?

Bluefin has the legal responsibility to electronically report each merchant’s PCI compliance progress to Visa, MasterCard, Discover, AMEX, and First Data on a monthly basis. Bluefin obtains this data through a number of sources: SAQ document submissions from our merchants stating their full compliance, passed vulnerability scan reports, and an open communication line between our internal Bluefin PCI department and our valued clients. Additionally, fines from the card brands for failing to comply with PCI security standards or failing to rectify a security failure can be severe – from $5,000 to $100,000 per month.

How will PCI compliance help my business?

Becoming PCI compliant will help your business because establishing mandatory industry-wide PCI security standards boosts consumer’s confidence that their information is being protected whether they are shopping at a large, well-known retailer or a small internet company.

For example, if small internet companies developed a reputation for compromising cardholder data, it would have a devastating effect on all small internet companies regardless of how each individual company protects itself and its cardholders.

My gateway/terminal is already PCI certified. Do I need to be PCI compliant?

Yes, having a PCI compliant terminal/ gateway is a requirement for becoming certified but is only one of several requirements. All parties involved in processing a credit card transaction need to be PCI compliant.

I never see credit card information. Do I need to be PCI compliant?

Yes, even if you personally never see credit card information, there could still be a security lapse in your system that could cause the credit card data to be compromised. PCI guidelines are designed to protect cardholder information from being leaked to criminals, not necessarily merchants.

What is the cost for maintaining PCI compliance through Bluefin?

Costs for our Compliance Assistance Program are assessed on a monthly and/or yearly basis and vary by account size. Please contact our customer service line for your specific costs, 800-675-6573, ext. 2.