PCI DSS and the PCI SSC requires ASV scans and SAQs for every merchant. Bleh. Enough with all the jargon.
Here are some questions that we’ve been asked over the years with transparent, easy-to- understand answers. When you boil it down, PCI compliance is simple.
Let’s start by de-mystifying those acronyms …
PCI DSS – Payment Card Industry Data Security Standards. These are the benchmarks for security that every merchant account that accepts credit cards needs to meet.
PCI SSC – Payment Card Industry Security Standards Commission. Basically this is Visa®, MasterCard®, Discover® and Amex®. They’re technically an independent organization that defines the standards for data security.
ASV – Approved Scanning Vendor. These are companies that are approved to scan your network and tech systems to ensure that they’re in compliance.
SAQ – Self-Assessment Questionnaire. This handy tool lets you do a self-check-up that will help you understand if you’re in compliance or what you need to do to get there.
Now for the Q and A …
If I don’t take a lot of credit cards, do I still have to be in compliance?
Yes. Even the smallest merchant accounts need to be in compliance with PCI DSS. Today, credit card fraud and security breaches aren’t a matter of if but when. The best reason to be in compliance is that it mitigates your liability if something happens to your customer’s data.
What happens if I’m not in compliance?
Even if you don’t have a security breach, you are liable to be fined. Generally, the large card-issuing banks (Visa, MasterCard, Discover, etc.) have been lax in levying fines against small merchant accounts, but that’s changing. As scrutiny over security breaches increases, more fines are being levied for merchant accounts that do fewer transactions.
If I’m not in compliance, what happens if there is a breach or fraud?
There’s an old adage about being up the creek without a paddle … if there is fraud or a breach in your customer’s data and you’re not in compliance, you’re on the hook. 100%. Not only are you responsible for covering all fraudulent charges and any legal fees associated with them but you also have the potential for massive fines up to $500,000 from EACH payment brand. That means Visa, MasterCard, Discover and Amex can each levy those fines against you. Oh, and you’ll have your ability to accept credit cards suspended. And be in a higher compliance tier. And have to pay for annual compliance checks. Just don’t do it!
So, how do I become compliant?!
We’re glad you asked. At Tidal, we offer a complete package that we call a PCI Toolkit. This kit helps our customers:
• Decide which SAQ is right for their type of merchant account
• Administer any applicable network scans
• Provide guidance on any needed remediation efforts
• Certify and validate account compliance
There are more than 130 other approved vendors who can help you get in compliance, but if you choose them, be prepared to pay the full cost.
Hopefully, this helps you wrap your head around PCI compliance. Here’s a handy list of resources if you’d like to do further research. Or, simply give us a call and talk with our PCI Expert to get personal advice on how to get your merchant account in compliance today.