You have probably heard of the term “PCI compliance,” but what does it mean?
This resource is being provided to give you some of the basics on PCI compliance: what it is and why it matters. Below are answers to some of the most frequent questions we receive on the subject. The bottom line is if you accept credit cards for payment at your place of business, you will have some PCI compliance obligations.
What does PCI stand for?
It is actually “PCI-DSS,” not just “PCI.” PCI-DSS stands for “Payment Card Industry Data Security Standard.” PCI-DSS is oftentimes shortened to “PCI” – that is how many people seem to refer to it. “PCI compliance” means complying with the PCI data security standards. “PCI-DSS” and “the PCI standards” are the same thing.
Who created PCI-DSS?
PCI-DSS was created by the five largest credit companies – including Visa, Mastercard, American Express, Discover and JCB International – to help in the fight against credit card fraud. PCI-DSS were rules established by the Payment Card Industry Security Standards Council (PCI-SSC), which is the governing body and open forum responsible for developing, managing, educating, and raising awareness of the relevant PCI standards.
Is PCI-DSS the law?
No. PCI-DSS is not the law. There has been no federal or state legislative body that has stepped in to administer PCI rules or regulations. PCI-DSS exists today as a matter of contract. PCI-DSS is a creation of the five major credit card brands. When you, as the merchant, decide to accept payment with credit cards bearing the Visa, Mastercard, American Express, Discover, or JCB logo, you have agreed to maintain PCI compliance under the terms of your agreement with each of the card brands or their authorized agents.
Why does PCI exist?
PCI-DSS exists to help you, as a merchant, safely and securely store, process, and handle sensitive customer data. Again, any business that accepts credit cards is subject to the PCI standards.
What PCI-DSS requirements do I need to follow?
Well, that depends. Depending on a merchant’s annual transaction volumes, it could fall under one of four different levels for compliance purposes, and each level has different requirements and obligations.
What are the four different merchant levels? How are they determined?
Merchant levels are tied to total Visa transactions run over 12 months. Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit, and prepaid) from a merchant’s “DBA,” or “doing business as.” Visa defines merchant levels by the following criteria:
Most Vermont Systems customers will be considered Level 4 merchants.
What does a small-to-medium-sized business (Level 4 merchant) need to do to satisfy the PCI-DSS requirements?
Complete the following steps:
- Determine which Self-Assessment Questionnaire (SAQ) your business should use to validate compliance. (See the below chart for which SAQ to use)
- Complete the SAQ according to its instructions.
- If applicable, complete and obtain evidence of a vulnerability scan with a PCI-SSC Approved Scanning Vendor (ASV). Note: scanning does not apply to all merchants – it’s only required for SAQ-A-EP; SAQB-IP; SAQ C; SAQ D-Merchant; and SAQ D-Service Provider.
- Complete the relevant Attestation of Compliance (AOC) in its entirety (found in the SAQ tool).
- Submit the SAQ, evidence of a passing scan (if applicable), and the AOC, along with any other requested documentation, to your acquirer.
- If you have questions about the correct SAQ, the SecureTrust™ tool (as described below) can be used to guide you to the right form. Please note that Vermont Systems cannot provide you with legal advice or the correct SAQ to use.
Where can I find more in-depth information on the SAQ process and PCI-DSS in general?
The Payment Card Industry Security Standards Council website includes some great resources, including SAQ instructions and guidelines (available here).
How do I know which SAQ to use?
Where does Vermont Systems fall in the spectrum of parties providing a payment service?
Vermont Systems is a “payment facilitator,” or “PayFac.”
One common misconception is Vermont Systems is a payment processor: we’re not. Vermont Systems has partnered with Worldpay, Inc. (“Worldpay”), a third party, for its payment processing services. Although oversimplified, it’s fair to think of Worldpay as the “rail network” upon which Vermont Systems’ “payments engine” runs.
As a payments facilitator, Vermont Systems has its own proprietary technology, PayTrac™, which enables seamless credit card processing through the Vermont Systems software. Vermont Systems is set up as the primary merchant account holder and you, our subscriber, are set up as our sub-merchant.
From a PCI-DSS perspective, Vermont Systems has heightened compliance obligations over and above the typical merchant.
If I’m a fully managed subscriber to the Vermont Systems software and Vermont Systems has met its PCI obligations, can’t I piggyback on that and say I’m compliant too?
Unfortunately, no. Even as a sub-merchant, because you accept credit card payments at the organizational level, you will be required to maintain some level of PCI compliance. Again, cardholder theft can occur at any point of weakness in the chain of making a credit card payment. This includes any point of weakness originating at the club or studio level (for example, at the sales desk or point-of-sale kiosk). There is no such thing as a “passthrough” for PCI compliance efforts. While Vermont Systems’ PCI compliance efforts do benefit our entire subscribership, including you, individual sub-merchants/subscribers must take appropriate steps of their own to do their part and validate their own PCI compliance efforts.
But what if I do not store any credit card data at my facilities? Does PCI still apply?
Yes. If you accept credit or debit cards as a form of payment, and those credit or debit cards bear the logo of Visa, Mastercard, American Express, Discover or JCB, then the PCI standards will apply to you.
My business has multiple locations. Is each location required to validate PCI compliance?
If your individual business locations all process under the same tax ID number, then you may only be required to validate once annually for all locations.
What happens if I do not comply? What are the consequences?
The worst consequence of a failure to comply with PCI requirements is you suffer a data breach, cardholder data is lost, and your business suffers financially as a result. Separate and apart from monies that may have to be paid out in claims, a data breach could tarnish your reputation and keep new business away.
Putting aside the unfortunate possibility of a data breach, failing to comply with PCI standards creates potential liability for the other parties within the chain of payment services. For example, the card brands may, at their choosing, fine the acquiring bank – which is the bank linked to the primary merchant account – between $5,000 and $1,000,000 per month for PCI compliance violations. These banks will most likely pass along the fine until it eventually hits you at the merchant level. Likely, the bank will also terminate its business relationship with you, or Vermont Systems, or increase its transaction fees across the board to make up for its losses. Penalties are not widely discussed or publicized, but they can be extremely harmful to a business. It is in everyone’s interest to comply with PCI-DSS.
What is Vermont Systems required to do to maintain PCI compliance?
As a payment facilitator, Vermont Systems is required to maintain heightened PCI compliance standards from typical merchants. Each year, we invest thousands of dollars in the security of our technology systems and are constantly refining our processes. Each year, to maintain PCI compliance, Vermont Systems is required to undergo a rigorous audit by an independent third-party security firm.
It is important to note that PCI compliance is one facet of a broader data security plan. Although Vermont Systems has made an intentional choice not to broadcast our security measures to potential bad actors, Vermont Systems employs both online and offline measures to protect Subscriber and End User Data. Those interested in learning more can review Vermont Systems’ Privacy Policy or request a copy of our Data Security Whitepaper.
Does Vermont Systems provide any specific tools that will help me comply? What is SecureTrust™?
Like Vermont Systems, you have your own PCI compliance obligations as a merchant. You are not responsible for Vermont Systems’ compliance efforts, nor are we responsible for yours. PCI compliance is a creature of contract and dictated by common sense – we both have an affirmative obligation to do our part.
That said, Vermont Systems may sometimes provide our subscribers with access to certain tools and other resources that can aid in meeting one’s PCI compliance obligations. One of these tools is called SecureTrust™. Although SecureTrust™ can’t guarantee compliance, or “do the work for you,” this tool can help pinpoint trouble areas, provide more in-depth answers to PCI-related questions, and guide the SAQ submission process.
It’s important to note that SecureTrust™ is a third party not affiliated with Vermont Systems. Questions about SecureTrust™ can be directed to SecureTrust at (800) 363-1621, or at support@securetrust.com.
I have more questions about PCI compliance. Who at Vermont Systems should I contact?
Additional questions about PCI compliance can be directed to us at paytracsupport@VermontSystems.com.