The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment and prevent credit card fraud.

The PCI DSS is administered and managed by the PCI SSC https://www.pcisecuritystandards.org/, an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB).

Aperia Solutions has led PCI compliance efforts on behalf of millions of merchants, providing self-service tools and help desk support to heighten compliance levels with a minimum of cost and interruption.

We have partnered with Aperia to provide your business with a comprehensive set of PCI compliance tools and the support necessary to validate your business’s PCI compliance. For more information, visit https://aperia.com/products/pci

PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accept, transmit or store any cardholder data.

Merchants that do not comply with PCI DSS may be subject to fines, card replacement costs, costly forensic audits, brand damage, etc., should a breach event occur. Many acquiring banks are issuing fines for merchants who do not comply with PCI.

For a little upfront effort and cost to comply with PCI, you greatly help reduce your risk from facing these extremely unpleasant and costly consequences.

The individual card brands are requiring that the Merchant Banks/Processors implement individual PCI compliance programs to educate merchants on compliance and ensure that they meet PCI compliance requirements.

They’ve required that all Merchant Banks/Processors have a plan in place to ensure that all of their merchants obtain and maintain compliance with the standard.

Most of the breaches you hear of in the news are large retailers, but many people do not realize that over 80% of compromises occur at small merchant locations.

The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The card brands will most likely pass this fine on to the Merchant Acquirer until it eventually hits the merchant.

Most banks have broken down the annual/quarterly cost for validating PCI compliance into monthly installments so that the price is easier to digest.

The time it takes to achieve compliance is dependent upon how you process credit card data. If a vulnerability scan is not required, achieving compliance can be completed in a short amount of time.

Merely using a third-party company does not exclude a company from PCI compliance. It may cut down on your risk exposure and consequently reduce the effort to validate compliance. However, it does not mean you are exempt from PCI. All merchants are required to complete the SAQ annually at a minimum.

It also addresses internal security practices and procedures behind handling credit card data. One of the leading causes of data breaches is due to employee error or carelessness when handling sensitive information – this is why proper policies should be in place and a formal Security Awareness Training should be conducted.

Your business must protect cardholder data when you receive it, and process charge backs and refunds. You must also ensure that providers’ applications and card payment terminals comply with respective PCI standards and do not store sensitive cardholder data.

You should request a certificate of compliance annually from providers.

Utilizing a compliant payment application is a best practice towards achieving compliance, but PCI compliance also covers data security, physical security and network security.

It is extremely difficult to complete the standard PCI Self-Assessment

Questionnaire without assistance – it was written in a very technical language. We have partnered with Aperia to assist you in the compliance process and offer support as you are completing the SAQ.

Many of the questions in the SAQ require that you have a written Security Policy and a formal Security Awareness Training in place. Without a resource to assist in building the required Security Policy and conduct the formal training, this would be a very time consuming and costly task to complete.

Yes. All businesses that store, process or transmit payment cardholder data must be PCI Compliant.

A network security scan involves an automated tool that checks your systems for vulnerabilities. The tool will conduct a non-intrusive scan to remotely review networks and Web applications based on the external - facing Internet protocol (IP) addresses. The scan will identify vulnerabilities in operating systems, services, and devices that could be used by hackers to target the company’s private network.

As provided by an Approved Scanning Vendor (ASV’s) such as Aperia, the tool will not require you to install any software on your systems, and no denial-of-service attacks will be performed.

Note, typically only merchants with external facing IP address are required to have passing quarterly scans to validate PCI compliance.

If you electronically store cardholder data post authorization, or if your processing systems have any internet connectivity, a quarterly scan by a PCI SSC Approved Scanning Vendor (ASV) is required.

Every 90 days/once per quarter you’re required to submit a passing scan. Merchants and service providers should submit compliance documentation (successful scan reports) according to the timetable determined by their acquirer. Scans must be conducted by a PCI SSC Approved Scanning Vendor (ASV). Aperia is a PCI Approved Scanning Vendor.

Yes, home users are arguably the most vulnerable simply because they’re usually not well protected. Adopting a ‘path of least resistance’, intruders often zero-in on home users – exploiting their ‘always on’ broadband connections and typical home use programs such as chat, Internet games and P2P file-sharing programs.

Aperia’s scanning service allows home users and network administrators alike to identify and fix any security vulnerabilities on their desktop or laptop computers.

They can be found here: https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security