Becoming compliant with the PCI (Payment Card Industry) DSS (Data Security Standard) is mandatory for any organization that transmits, stores or processes credit card information. The goal of PCI compliance is to strengthen the security of your organization from the inside out and protect sensitive cardholder data. Bluefin is dedicated to working in partnership with your organization to help you implement all required security measures. Below are answers to frequently asked questions regarding PCI compliance.
What is the PCI Standard?
This PCI Standard, which is referred to fully as the PCI (Payment Card Industry) DSS (Data Security Standard), was formulated in 2006 to ensure that a comprehensive list of security standards to protect cardholder data was adopted globally. The PCI compliance certification is the certification given to an organization that meets the standards set forth in the PCI DSS.
The payment brands (American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.) have mandated that all businesses that store, transmit or process cardholder information must maintain compliance with PCI DSS.
You can learn more at https://www.pcisecuritystandards.org/.
Who needs to be PCI compliant?
PCI compliance is a requirement by credit card companies for safe and secure online transactions to occur. PCI compliance ensures protection against identity theft. Merchants who process transactions and deal with sensitive credit card data are required, by the PCI Security Standard Council (SSC), to be PCI compliant.
All organizations that hold, process, or exchange cardholder information need to be PCI compliant – regardless of whether the organization does 2 transactions a year or 2 million transactions a year.
Beyond the risk of incurring significant fines and penalties in the event of a data breach, merchants and service providers who refuse to secure their systems risk losing the trust of the clients with whom they have worked so hard to build a relationship with.
Who is responsible for making sure I am compliant?
It is the responsibility of the both the Acquirer (in this case, Bluefin) and the merchant to ensure that PCI compliance is achieved. This is why Bluefin provides all of our merchants access to our PCI Compliance Assistance Service Program.
Through our PCI Compliance Assistance Program with Trustwave’s SecureTrust, merchants get the tools, resources and guidance that will help them achieve compliance with the assistance of Qualified Security Assessors (QSA) and Approved Scanning Vendors (ASV) through their TrustKeeper portal. Our PCI-certified partners will:
- Work with you to conduct an analysis of your account
- Guide you through the completion of your PCI DSS Self-Assessment Questionnaire (SAQ)
- Assist with any necessary remediation efforts
- Certify your compliance
- Include (if applicable) the required quarterly scans of your processing systems.
Trustwave can be reached at 800-363-1621, Option 1. Make sure to have your Bluefin Merchant ID when you call as that will be your merchant identification.
How long does the compliance process take?
The length of the process varies for different sizes and types of merchants.
For example, for small merchants without complex credit card processing environments, it could take 15-30 minutes, assuming no non-compliance issues are discovered. However, if non-compliance issues are identified, the length of time it takes an organization to implement solutions to resolve these issues will affect the length of the PCI DSS compliance process.
The length of time also varies depending on the resolution and the complexity of the environment. Note that for even more complex merchants, TrustKeeper will scale to your needs, and has been designed to allow you to complete the process in stages – for example 10 minutes at a time. As you complete each stage, your information is saved throughout to allow you to easily come back later and resume the process. Please complete at least the registration step and take inventory of what you need to do.
What kind of PCI compliance do I need to achieve?
Depending on the annual transactional volume processed and the POS and Ecommerce systems used, organizations will have varying degrees of PCI compliance that they must achieve. This includes but is not limited to: Annual Self-Assessment Questionnaire (SAQ), Annual Attestation of Compliance, and Quarterly Scans by a third-party vendor of any outward facing IP address(s). The PCI compliance levels are as follows:
- Level 1: Merchants that process over 6 million card transactions annually.
- Level 2: Merchants that process 1 to 6 million transactions annually.
- Level 3: Merchants that process 20,000 to 1 million transactions annually.
- Level 4: Merchants that process fewer than 20,000 transactions annually.
Is PCI compliance a one-time requirement?
No. Securing your business is an ongoing process—as your business changes over time, the practices you use to protect your customers’ credit card information needs to follow these changes.
Furthermore, the PCI DSS itself is enhanced periodically in order to help your business defend against the evolving threats from thieves. Because the credit card associations require all businesses accepting card-based payments to comply with PCI DSS at all times:
1. You are required to submit a PCI certification form (also called the PCI Self-Assessment Questionnaire or SAQ) annually.
2. If vulnerability scans are required for your business, you will need to complete and pass a scan every three months. TrustKeeper will help guide you through these recurring requirements.
How will the credit card companies / acquirers know that I am PCI compliant?
Bluefin has the legal responsibility to electronically report each merchant’s PCI compliance progress to Visa, MasterCard, Discover, AMEX, and our acquirers on a monthly basis.
Bluefin obtains this data through a number of sources: SAQ document submissions from our merchants stating their full compliance, passed vulnerability scan reports, and an open communication line between our internal Bluefin PCI department and our valued clients. Additionally, fines from the card brands for failing to comply with PCI security standards or failing to rectify a security failure can be severe – from $5,000 to $100,000 per month.
My gateway/terminal is already PCI certified. Do I need to be PCI compliant?
Yes, having a PCI compliant terminal/ gateway is a requirement for becoming certified but is only one of several requirements. All parties involved in processing a credit card transaction need to be PCI compliant.
I never see credit card information. Do I need to be PCI compliant?
Yes, even if you personally never see credit card information, there could still be a security lapse in your system that could cause the credit card data to be compromised. PCI guidelines are designed to protect cardholder information from being leaked to criminals, not necessarily merchants.
What is the cost for maintaining PCI compliance through Bluefin?
Costs for our Compliance Assistance Program are assessed on a monthly and/or yearly basis and vary by account size. Please contact our customer service team for your specific costs, 800-675-6573, ext. 4.