Just a Few Easy Steps and You’re Compliant: • Our program gives you access to a simple online questionnaire that will help ensure that you are compliant; • We send proof of your compliance to the Card Associations when you have successfully completed the questionnaire; and • We provide FREE quarterly or annual network vulnerability scans should you be required by the Card Associations to conduct them. e PCI Security Standards website, www.pcisecuritystandards.org, explains the certification process and lists approved QSAs. Please refer to the instructions on the next page for help navigating through the required Self-Assessment Questionnaire (SAQ). We’ve also included a graphical navigation guide on pages 3 - 11 for additional help. To protect the data security of your business and your customers, the credit card industry introduced uniform Payment Card Industry Data Security Standards (PCI DSS). ese standards require all merchants accepting credit and debit cards to provide annual proof that you are compliant with industry regulations. Participation in a certified PCI DSS compliance program is required of every merchant, for every MID, regardless of your bank or processor. Non-compliance can result in costly fees and the boosted threat of a security breach. Fortunately, we make it easy for you comply with all PCI mandates. So you can meet industry regulations, protect your cardholder data and protect your financial resources, all with one simple program. - continued - PCI COMPLIANCE IS NO LONGER OPTIONAL YOUR PARTICIPATION IS MANDATORY Page 1
15
Embed
PCI COMPLIANCE IS UNDERSTANDING PCI COMPLIANCE … · UNDERSTANDING PCI COMPLIANCE ... 2015, to avoid being assessed a monthly non compliance fee until certification is proven. If
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
UNDERSTANDING PCI COMPLIANCE
Just a Few Easy Steps and You’re Compliant:• Ourprogramgivesyouaccesstoasimpleonlinequestionnairethatwillhelpensurethat
Please refer to the instructions on the next page for help navigating through the required Self-Assessment Questionnaire (SAQ). We’ve also included a graphical navigation guide on pages 3 - 11 for additional help.
Participation in a certified PCI DSS compliance program is required of every merchant, for every MID, regardless of your bank or processor. Non-compliance can result in costly fees and the boosted threat of a security breach.
Complete These Simple Steps to Certify Compliance: 1. AccessthefollowingURL,onorafter April 1, 2015, through your web browser:https://www.mybackofficetools.com/
4. Youwillbetakentoamainmenu.Clickthe“ViewRegistrationInformation”hyperlink.It is very important to ensureyour email address is correct so that you can receive all PCI status and confirmation emails. Ifyourinformationisnotcorrect,pleaseclickthe“MerchantProfile”menuatthetop.Thenclick“MerchantAddress”.Then,intheemailbox,typeinyourcorrectemailaddress.ClickSave.
10. VERY IMPORTANT:Pleaseprintthevalidationyoureceiveforyourrecordsandkeepitinasafeplace.ThiswillserveasproofthatyouhavesuccessfullycompletedtheSAQ.
NOTE: Completion of the SAQ is required prior to May 29, 2015, to avoid being assessed a monthly non compliance fee until certification is proven. If you are already certified for 2015 from an approved ASV/QSA, you must submit your certification of compliance prior to April 29, 2015, to avoid being billed the annual PCI compliance fee.
You may submit your proof in one of the following ways:>>Byfaxto718.559.4822(keepacopyofyoursuccessfulfaxtransmissionreceipt)>>Bymail(returnreceiptrequested)to:
Please print your validation for your records and keep it in a safe place. This validation serves as proof that you have successfully completed the required SAQ.
Processing Center Customer Service P.O. Box 246Alpharetta, GA 30009-0246
Page 2
UNDERSTANDING PCI COMPLIANCE
First Time VIMAS Users:• Accessthislink:https://www.mybackofficetools.com• LoginusingyourfullMerchantIDNumber(MID)astheUsername• YourtemporarypasswordisCynfollowedbythelastfourdigitsof
Payment Card Industry Data Security Standard (PCI DSS) Requirements
Page 12
UNDERSTANDING PCI COMPLIANCE
- continued -
MERChANT PCI COMPLIANCE PROGRAM
Q: What is the ‘PCI DSS’?A:PCIDSSstandsfor“PaymentCardIndustryDataSecurityStandards”andrepresentsasetofsecurityrequirementscreatedbythePaymentCardIndustry,layingoutwhatMerchantsneedtodotoprotectcustomerinformation.ThePCICouncilrequiresthatMerchantsmeetthissetofsecurityrequirementsiftheirbusinessaccepts,transmits,orprocessescustomerpaymentcards(suchascreditcardsordebitcards).Merchantsthatdonotcomplywiththeserequirements,arenon-compliant,inviolationofthecardbrandrules,andcanbeeasilybreachedinanumberofways.Theconsequencesfornon-compliancearesevere;thepaymentbrandsmay,attheirdiscretion,imposefinesandpenaltiesataminimumof$5,000forasingledatabreach.Plus,merchantsriskhavingtheircard-processingprivilegesrevoked,leavingthemunabletoacceptcustomerpay-mentcards.Allofthiscollectivelyresultsinalossofrevenue.FormoreinformationaboutPCIDSS,pleasevisithttps://www.pcisecuritystandards.org/
Q: To whom does PCI apply?A:PCIappliestoALLorganizationsormerchants,regardlessofsize,thataccept,transmit,orstoreanypaymentcardinformation.
Q: What do I have to do in order to satisfy the PCI requirements?A:TosatisfytherequirementsofPCI,allmerchantsmustcompletethesesteps:NOTE:PleaseseedefinitionsofMerchantLevelsinthequestionbelowthisone.
• Allmerchantswhoarealreadycertifiedfor2015, or whose certificate of compliance is not due to expireMUSTsubmitproofofcomplianceby April 29 , 2015, via one of the following methods:
• By mail: Processing Center Customer Service
P.O. Box 246 Alpharetta, GA 30009-0246
• By Fax:Attention:CustomerService,at718.559.4822• AllmerchantsmustbePCIDSScompliantandusePA-DSS(PaymentApplicationDataSecurityStandards)
compliantapplications.
Frequently Asked Questions
Page 13
- continued -
UNDERSTANDING PCI COMPLIANCE
- continued -
MERChANT PCI COMPLIANCE PROGRAM
Q: How are the different Merchant Levels defined?A: The following table defines the levels:
Q: What is the Self-Assessment Questionnaire (SAQ)? A: The PCI DSS SAQ is a validation tool for merchants to assist in self-evaluating compliance with the PCI DSS. All merchants are required to complete the annual SAQ, attest to the information they’ve entered and print and save their Attestation of Compliance. This means that you are meeting the PCI DSS requirements.
Q: What is a Qualified Security Assessor (QSA)? A. Qualified Security Assessors are organizations that have been qualified to have their employees assess compliance to the PA-DSS standard. They have been certified to validate an entity’s adherence to the PA-DSS standard.
Q: What is an Approved Scanning Vendor? A. Approved Scanning Vendors (ASVs) are organizations that validate adherence to certain DSS requirements by performing vulnerability scans of Internet facing environments of merchants and service providers.
Q: Why do I need a scan?A. The Card Associations require all merchants with externally- facing IP addresses (e-Commerce merchants or merchants who utilize a payment gateway/shopping cart) to undergo a quarterly network scan by an Approved Scanning Vendor (“ASV”), and complete an attestation of compliance. The scan checks your website and IP addresses to ensure there are no vulnerabilities subject to outside attacks.
Frequently Asked Questions
Page 14
UNDERSTANDING PCI COMPLIANCEMERChANT PCI COMPLIANCE PROGRAM
Q: How do I validate my compliance?A:AfteryoucompleteyourSAQ,youwillbeaskedtoattesttotheinformationyouenteredandprintyourvalidationofcompliance.Thatisallyouneedtodo,becauseoursystemwillnotifyusthatyouhavecompletedtheSAQ.
Ifyouhavealreadybeencertifiedfor2015,youmustsubmityourcertificationofcompliancefroman approvedASV/QSAbynolaterthanApril 29, 2015, toavoidtheannualPCIbillingfeeforourprogram.Ifyouarenotcertifiedfor2015,youmustcompleteyourSAQprior to May 29, 2015,inordertoavoidamonthlyPCInon-compliancefeeuntilyoucompletetheSAQ.
You may submit your certification in one of the following ways:
Via fax: 718.559.4822(keepacopyofyoursuccessfulfaxtransmissionreceipt),orVia mail: ProcessingCenterCustomerService
P.O. Box 246Alpharetta, GA 30009-0246
Q: What am I getting for the PCI program annual fee?A:TheannualfeecoversthecostforustomanagetheprogramasrequiredbytheCardAssociations.