What is PCI Compliance?
PCI security standards are technical and operational requirements set by the Payment Card Industry Security Standards Council to protect cardholder data. Major card companies such as Visa, MasterCard, American Express, and Discover, are responsible for enforcing the security of cardholder information.
Merchants are responsible for ensuring their equipment, networks, and employees meet the PCI security standard.
How do I become PCI Compliant?
At Fattmerchant, we always ensure your issued equipment is PCI Compliant. The only thing you as the business owner need to worry about is the following:
- Annual PCI Questionnaire
- Quarterly Scanning (if necessary)
Please contact your account manager at Fattmerchant to become compliant if you have not taken your annual questionnaire already. Our PCI service is complimentary.
How do I know which questionnaire I need to take to become compliant?
The Security Council has broken out each questionnaire by product and networks. Please complete the questionnaire which best fits your processing style.
SAQ A - Merchants whose cardholder data functions are completed outsourced to a validated third party. They do not store, process, or transmit any cardholder data in electronic format on their systems or premises.
SAQ B - Card imprinter or a physical machine processing over a phone line connection
SAQ C - Merchants who use point of sale system processing over an internet connection. You do not store any credit card information electronically. Requires a vulnerability scan of your network.
SAQ D - Merchants who electronically store cardholder data, use a customer or proprietary payment application, or a payment application installed on a network. Requires a vulnerability scan of your network.
SAQ EP - Merchants with an e-commerce website that do not store credit card information. Your payments are redirected to a third-party processor. Requires a vulnerability scan of your network.
SAQ B-IP - Merchants who process using a stand alone terminal over an IP connection. You do not store any credit card information electronically. Requires a vulnerability scan of your network.
SAQ C-VT - Merchants who process using a virtual terminal. You do not store any credit card information electronically.
SAQ P2PE - Your company uses hardware payment terminals included in a validated and PCI-listed Point-to-Point Encryption solution. You do not store, process, or transmit data outside of the hardware payment terminal.
Each questionnaire produces a PCI certificate that is valid for one year. Vulnerability scans will only be valid for three months.
What is a vulnerability scan?
Vulnerability scans are required for merchants processing over an internet network. Whether it's with a credit card machine or a shopping cart, it is important to make sure your networks are as secure as possible. Vulnerability scans test the security of your network by skimming through the ports which are open and closed on your internet router. Ports dictate the security level and strength of the network. Vulnerability scans also test a website's security by making sure all security certificates are up to date.
Where do I take my PCI questionnaire?
Questionnaires can be taken at the following web pages:
Vantiv/NPC Merchants click here. If you have never logged in before, use your Merchant ID as the username and Federal Tax ID as the password.
First Data Merchants click here. If you have never logged in before, please use the "Register now" button on the home page.
If you are unsure which merchant category you fall into, please reach out to your account manager and we will be able to assist!
Your PCI certificate will be valid for one year. After the certificate has expired, merchants must renew using the same process as above.
What happens if I am not compliant?
Merchants have three months from when their new merchant account is approved with Fattmerchant to become PCI Compliant. After the three month mark, merchants are subject to a $19.95 non-compliance fee directly from the major card companies for not complying with their security standards.