It seems that every day we hear more and more about data security breaches, foreign cyber-attacks, and consumer warnings about how to protect yourself from falling victim to fraud.
Now more than ever, it’s important to stay ahead of the curve and ensure you have the basics down when it comes to protecting your business’ sensitive payment data.
Below are the most frequently-asked PCI-related questions we receive from channel partners and merchants, along with answers. If you have a question that isn’t listed, please comment below or send an email to pci@csipay.com.
What is PCI-DSS?
The Payment Card Industry Data Security Standard (PCI-DSS) — commonly referred to as just PCI — is a set of standards designed to ensure that all organizations that accept, process, store or transmit credit card information maintain a secure environment.
What Businesses are Required to Be PCI-Compliant?
ALL BUSINESSES that participate in the payment transaction process are expected to adhere to the PCI compliance standards. This includes:
- Businesses of all sizes
- Point of sale providers
- Gateway providers
- Financial institutions
- Payment processors and acquirers
- Hardware and software developers
My Software Provider is PCI-Certified. Do I Need to Maintain PCI Compliance Myself?
Yes. Working with a software provider that is PCI-certified, or a merchant services provider, like Constellation Payments, that is PCI-certified, does not exempt a business from having to show compliance.
Businesses handle credit card information at their front desks and kiosks every day. All businesses are part of the payment transaction flow and therefore required to comply and show compliance through a certification process.
All the entities listed above must demonstrate and validate compliance.
How Do I Become PCI-Certified?
1) Review the 12 PCI-DSS requirements on the Constellation Payments website. This list can be used as a checklist for assessing your IT assets and business processes.
2) Complete the self-assessment questionnaire (SAQ) and confirm all answers. Complete an external scan of your IP address(es) if necessary.
Businesses with Constellation Payments will be provided with step-by-step instructions on how to gain access to our Level 4 Merchant Program, provided by MegaPlanIT.
3) Download your validation certification.
4) Send the certificate to your merchant processor to have on file.
How Often Do I Need to Complete the PCI Questionnaire?
You are required to complete the PCI questionnaire every year to stay compliant. Scans are required quarterly.
Who Can Help Me with my PCI Compliance Validation?
At Constellation Payments, we’ll guide you through the entire process to make sure your PCI compliance certification experience is smooth and easy.
We have partnered with well-known Qualified Security Assessors to provide all businesses with a PCI toolkit to help with the annual PCI compliance validation process.
At CSIPay, we are available to help merchants gain access to the PCI platform and we have a dedicated support team for assistance completing SAQ’s and scans. Your Software provider should be able to assist with any software specific questions.
What’s a Security Vulnerability Scan?
A vulnerability scan identifies security issues such as storing of any credit card data, misconfigured networks or outdated versions of software.
Who Needs to Complete a Security Vulnerability Scan and How Often Does the Scan Need to be Completed?
Businesses that have external-facing IP (Internet Protocol) addresses that connect to their cardholder data are required to complete a quarterly vulnerability scan by an Approved Scanning Vendor. If vulnerabilities are found, the business is required to go through a remediation process to fix the vulnerabilities.
What is Breach Security Coverage?
Maintaining PCI compliant status will help to reduce the risk of a data security breach, but it doesn’t guarantee a breach event won’t occur.
The penalties for a data security breach can have a devastating financial impact to a business.
Our PCI program solution at Constellation Payments includes data breach coverage, which provides some financial relief to businesses that experience a data security breach.
In the event of a breach, you should contact the Constellation Payments’ Support team who will then log the event with relevant parties and work with risk/loss prevention to start the investigative process.
Jennifer Sumii is Manager of Partner Relations for Constellation Payments. Within her role, she oversees critical company partnerships, including partners with custom integrations, large core processing accounts, and processor or origination companies. Her background includes extensive processing and banking experience, specifically FI/ISO/ICA relationship management, corporate and commercial banking relationship management, national account management, and new ISO/MSP implementation and training. You can reach Jennifer at jsumii@csipay.com.