WHAT IS PCI COMPLIANCE?
PCI security standards are technical and operational requirements set by the Payment Card Industry Security Standards Council to protect cardholder data. Major card companies such as Visa, MasterCard, American Express, and Discover, are responsible for enforcing the security of cardholder information.
Merchants are responsible for ensuring their equipment, networks, and employees meet the PCI security standard. PCI Compliance is not optional and is required by all merchants by the card brands. If the merchant does not become compliant within 90 days of being enrolled in Sysnet, then they will be charged the PCI Non-Compliance Fee monthly until they become compliant.
Stax is able to grant access to Partner team members to a white-labeled Sysnet Portal (PCI Portal) so they are able to have visibility into a merchants PCI compliance status and help them with their Business Profile and Self-Assessment Questionnaire (SAQ). Once added, your team members will receive two notifications from notifications@complywithpci.com. The first will contain the username (which should be their email address); the second email will have the password reset link to allow access to the PCI Portal.
WHY DO MERCHANTS NEED TO BE PCI COMPLIANT?
Every merchant must become compliant within 90 days of their activation date with Stax. The Self-Assessment Questionnaire (SAQ) is a document used as a validation tool by credit card merchants and services providers to demonstrate compliance with PCI security standard requirements. It’s a way to show that the merchant is taking the security measures needed to keep cardholder data secure.
-
● It is to be completed annually by each merchant
-
● The SAQ includes a series of yes-or-no questions that review aspects such as:
-
○ Cardholder data storage and retention
-
○ Firewall & password security
-
HOW DO MERCHANTS GET NOTIFIED?
A series of 3 emails will be sent to the sub-merchant over the course of 8 weeks reminding them of the requirement to become PCI Compliant. To become compliant the merchant must log into Sysnet and complete the corresponding Self-Assessment Questionnaire (SAQ)
1st Email - First week after onboarding:
Within the first week of approval, each sub-merchant will receive an email from Sysnet (notifications@complywithpci.com). This email will include:
-
-
● The URL for Sysnet (PCI Portal)
-
● Username & Password
-
● Instructions on how to get started
2nd Email - Sent 4 weeks after first email:
Friendly reminder that their processing account is still not PCI Compliant. This email will refer to the 1st email which included:
-
● URL for Sysnet (PCI Portal)
-
● Username & Password
-
● Instructions on how to get started
3rd Email - Sent 4 weeks after second email:
Friendly reminder that their processing account is still not PCI Compliant. This email will refer to the 1st email which included:
-
● URL for Sysnet (PCI Portal)
-
● Username & Password
-
● Instructions on how to get started
-
SUPPORT
PCI Support is available for escalations and to help walk a merchant through their questionnaire. Monday - Friday: 8:30 AM - 8:00 PM EST
Phone: 1-888-543-4743
Email: support@complywithpci.com
FAQ’s
1. Who does PCI Compliance apply to?
a. PCI applies to ALL organizations or merchants that accept, transmit, or store any
cardholder data.
-
We have merchants with multiple business locations. Is each location required to validate
PCI Compliance?
a. Your Growth Manager can help you determine if each location must validateseparately or not. Usually if multiple business locations process under the same
Tax ID, then you are only required to validate once for all locations.
b. It is worth noting that if you are validating once for all locations, all locations will besubject to a “Failed Questionnaire” if the primary location fails.
-
What is defined as ‘cardholder’ data?
a. Cardholder data is any personally identifiable data associated with a cardholder. This could be an account number, expiration date, name, address, social security number, etc.
-
What if a merchant refuses to cooperate?
a. PCI is not, in itself, a law. The standard was created by the major card brands suchas Visa, MasterCard, Discover and AMEX. Merchants that do not comply with PCI will be subject to a Non-Compliance Fee and could potentially be subject to fines, card replacement costs, costly forensic audits, brand damage, etc., if a breach should occur.
-
Where can I find the PCI Data Security Standards (PCI DSS)?
a. The Standard can be found on the PCI SSC’s website
www.pcisecuritystandards.org
6. How long is PCI Compliance valid for?
a. Each questionnaire produces a PCI certificate that is valid for one year.
Vulnerability scans are valid for three months.
7. What is the scan process like for our terminal merchants?
a. The merchant will be able to begin their scan inside the PCI Portal. They will need to retrieve their IP address in order to initiate the scan. After the scan is successful and validated by the merchant, they will become compliant. At this point, the scan will automatically run in the background every quarter.
b. If the scan ever fails the merchant will receive an email notifying them to take action. There is no limit to the amount of failed scans a merchant is allowed to have on file. If a merchant fails, it’s common for them to implement remediation steps and scan again to complete the process successfully. If no action is taken, a failed scan can result in a merchant becoming non-compliant and being billed for PCI Non-Compliance.
8. What if the information a merchant initially entered in their Business Profile has changed, do they need to go through the process again?
a. In the case that a merchant has added on something like a terminal after completing a SAQ C-VT for Card Not Present (CNP) processing, it is recommended that they re-profile and go through the new Self-Assessment Questionnaire (SAQ) and scan process.
Helpful Definitions
PCI - Payment Card Industry
SAQ - Self-Assessment Questionnaire
NCF - Non-Compliance Fee
PCI DSS - Payment Card Industry Data Security Standards