PCI FAQs

What is PCI compliance?

PCI compliance is the three step process of implementation, adherence, and proof of compliance of the security standards set by the PCI Security Standards Council. These standards were developed to facilitate industry-wide adoption of uniform data security practices. They are designed to protect cardholder data from the point of sale, through transaction and in some cases the long term storage of that information.

To whom does PCI Apply?

PCI compliance is required of ALL organizations that accept, transmit, or store any credit card information. This is regardless of size and processing method, and includes service providers (processors, website hosting companies, gateways, etc.). The only merchants that do not need to become PCI compliant are those that ONLY accept cash.

What are the requirements to validate a business’ PCI compliance?

In order to become PCI compliant, merchants are required to complete and pass a Self-Assessment Questionnaire (SAQ) annually, perform quarterly network vulnerability scans (only if the merchant processes or transmits cardholder data through the Internet).

A merchant must complete and pass a SAQ once a year, assuming the method in which the merchant’s business accepts processes and stores transactions stays the same. If the business’s processing, transmitting or storing methods change, the merchant should review the SAQ and make the appropriate changes to ensure their PCI compliance remains validated.

Merchants storing, processing, or transmitting cardholder data over the Internet should pass a network vulnerability scan performed by an Approved Scanning Vendor (ASV) every 90 days. Similar to the SAQ requirements, if something were to change on the network that is processing cardholder data (e.g. a new router is installed), another scan should be performed to ensure that the business continues to properly secure this data with the new hardware or software.

What are the advantages of being PCI compliant?

PCI Compliance is a requirement by the card associations, Planet Payment and our Sponsor Banks. Complying with the PCI DSS requirements greatly reduces the risk that a business falls victim to a data breach of any customer’s sensitive cardholder data. Data breaches can be very damaging for businesses and can result in severe fines, possible lawsuits, expensive forensic audits, and a negative business reputation. Additionally, customers are often wary of their credit card information being stolen, PCI compliance offers customer’s peace of mind that their sensitive data is being protected with the highest industry standards. Businesses that are validated PCI compliant tend to see higher rates in consumer confidence.

What are the consequences of not being PCI compliant?

The consequences of non-compliance range in severity from simple fees to substantial fines that could ultimately result in a company going out of business. The fallout increases dramatically after a merchant experiences a data breach.

Even before a data breach occurs, businesses are exposed to the following consequences:

  • Monthly non-compliance fees until PCI compliance is validated
  • Customer’s may fear for the security of their sensitive cardholder data, and may be less likely to conduct business with the merchant

After a merchant experiences a data breach, the business can be exposed to the following consequences:

  • Significant fines from all credit card brands accepted by merchant
  • Lawsuits arising from the incident(s) filed by customers or merchant services provider
  • Expensive forensic security audits
  • Frozen funds in a merchant account, to compensate for potential costs and losses
  • Merchant account terminated by the merchant services provider
  • A damaged reputation which could result in decreased sales

What is a data breach?

A data breach occurs when someone unlawfully penetrates a credit card data handling system and the data is stolen for malicious use, whether by external hackers or employees.

How often do I have to validate PCI compliance?

As mandated by the PCI Security Standards Council, merchants must validate their compliance by completing an SAQ (Self-Assessment Questionnaire) every year.

For those merchants who process, store or transmit cardholder data on the Internet, a network vulnerability scan may also be required every 90 days.

It’s important to note that if a merchant changes the way they process credit/debit card payments or the way they handle customer’s sensitive cardholder data, they should review and confirm that their answers on the SAQ accurately reflect the changed method(s).

Who is Panoptic?

Panoptic is a technology security company that Planet Payment has contracted with to handle and assist our merchants in becoming PCI compliant. Panoptic is part of Sysnet Global Solutions, which is both a Qualified Security Assessor and Approved Scanning Vendor, certified by the PCI Security Standards Council.

Why can’t I deal with Planet Payment directly?

In order to provide comprehensive validation of PCI compliance Planet Payment has chosen Panoptic to handle that task. Planet values the relationship they have with all of their customers and in order to provide the best possible service we have chosen Panoptic and allowed them to work with you directly to become PCI compliant.

Are there fees associated with Planet Payment’s PCI compliance Program?

The fees associated with the PCI compliance service is $6.95 per month. Any Merchant that fails to validate PCI compliance will be charged a non-compliance fee of $49.95 per month.

What if I do not want to comply with this program?

All merchants that accept debit/credit transactions as a method of payment are required to be PCI compliant. Please be aware that failure to do so could lead to adverse action against your merchant account which may include a $49.95 non-compliance fee and possible termination of your merchant account.

What if I am already PCI compliant with another provider?

We have designed the program in order to allow you to quickly provide the information to us since you have already asserted your PCI compliance. If it has been more than a year, it is likely that your validation of compliance has expired. Contact the provider, obtain validation of compliance and upload the document into our PCI portal. You will be required to complete a condensed SAQ (Self-Assessment Questionnaire).

What if I can’t afford the changes to become PCI compliant?

PCI compliance is now a business requirement for any merchant that wishes to accept credit and debit cards, just as health and safety compliance is a requirement for any business that operates a store, office or factory. If you are not able to do so in a secure manner, then ultimately the potential dangers to your business are considerable. Even if you cannot become compliant immediately, you need to show progress on the way to becoming PCI compliant.

My other processor/Acquiring Bank doesn’t make me do this?

It is a matter for other banks and processors how they choose to comply with Association Regulations and Industry Standards. Planet Payment has chosen this method of compliance with our obligations, as we consider this the most efficient and cost effective way to do so.

I don’t store any credit card information thus I am safe, right?

While not storing credit/debit card information drastically lowers your risk of a data breach, you are still not completely safe. There are many ways hackers can steal credit card information, even if it is not stored. One of the most common ways to steal credit/debit card information is while it is in transit, thus storage is only one aspect of a very complex process.

What is my liability if I am compliant and I still have a data breach?

Merchant is still held liable in the event of a data breach, however, the penalties from the card network will not be as severe and in certain circumstances may be waived if merchant can show full compliance.

What is data breach insurance?

Data Breach Insurance transfers risk from the merchant to the insurer in the event that a merchant’s customers’ cardholder data is compromised. Some policies may include coverage of the mandatory forensic audit, credit card replacement costs and expenses, assessments and fines levied by card sponsors, and further some policies may cover breaches caused by employee dishonesty, physical theft of data, as well as computer hacking.

I do not want to pay the fee/can the fee be reduced?

In order to cover the cost of the program including the insurance, Planet Payment will be charging a modest fee to your account. Planet Payment has made efforts to ensure the fee is at an affordable level. It is likely that if you were to engage your own QSA and ASV the fees would be higher.

Who can I call for help?

As part of the relationship that Planet Payment has established with Panoptic Security you can contact them to assist you and answer any PCI related questions you have. They can be reached at 801-783-2322 and select option 1.

Where can I learn more?

For additional information regarding PCI compliance, please visit the official website of the Payment Card Industry Security Standards Council. Also included below are links to the individual card brand association’s security guideline websites.
PCI Security Standard Council: https://www.pcisecuritystandards.org
Visa: http://usa.visa.com/merchants/risk_management/cisp.html?ep=v_sym_cisp
MasterCard: http://www.mastercard.com/us/merchant/security/data_security_rules.html
Discover: http://www.discovernetwork.com/merchants/data-security/index.html
American Express: https://www209.americanexpress.com/merchant/singlevoice/dsw/FrontServlet?request_type=dsw&pg_nm=home&ln=en&frm=US
Panoptic Security’s library at www.panopticsecurity.com/faq.html
Please also visit our Fraud & Security Services page for further information on how to enhance your security.