Security & PCI Compliance

You can log in to PCI Toolkit to complete your PCI Compliance Validation.

PCI compliance is an annual security validation requirement for all organizations involved in handling, processing, or storage of cardholder data.

PCI Compliance applies to all organizations involved in the handling, processing or storage of cardholder data.

More information is available through the PCI SSC’s website which you can visit here:

pcisecuritystandards.org/pci_security

‍

More information about PCI compliance is available by visiting the PCI’s website here: https://www.pcisecuritystandards.org/pci_security/. It is important that you speak with a PCI authorized security organization, such as Protocol, who can provide a more detailed assessment of your organization’s overall data security needs.

‍

By becoming PCI compliant, organizations create layers of security, making it more difficult for cybercriminals to take advantage of them. Merchants owe it to their customers and themselves to ensure safety of their data.

PCI DSS requirements have been in existence since 2006.

PCI SSC maintains a database of organizations authorized to help organizations with PCI compliance such as Protocol.

Failure to comply with PCI DSS may result in monthly fines from your acquiring bank, and more importantly, your organization and your customers are at risk by failing to secure sensitive data through non-compliance.

All merchants fall into one of four merchant levels designated by the specific card brands, based on the number of individual card transactions over a 12­-month period.

1. SAQ (Self­ Assessment Questionnaire) merchants that qualify for self-assessing their annual PCI compliance can use the specific SAQ that matches their credit card handling, processing and storage methods.

2. QSA/ISA (Qualified Security Assessor/ Internal Security Assessor) merchants that do not qualify for self­-assessing PCI compliance are required to use a PCI certified QSA or a ISA (sponsored by the merchant organization seeking compliance).

QIR stands for Qualified Integrators and Resellers. In other words, it is any company that has a professional with a QIR certification. A QIR verifies that your POS hardware and software is secure at each location where you take a payment. This became a requirement on January 31, 2017.

In an effort to mitigate small merchant data breaches, and in addition to regular PCI compliance requirements, Visa requires that all level 4 merchants use only PCI­QIR certified professionals for POS application and terminal installation and integration. This became a requirement on January 31, 2017.

The PCI Security Standards Council (SSC) defines cardholder data as the full Primary Account Number (PAN) or the full PAN along with any of the following elements:

• Cardholder name
• Expiration date
• Service code

Sensitive Authentication Data includes full magnetic stripe data, CAV2, CVC2, CVV2.

Each merchant is required to complete and sign an annual Attestation of Compliance (AOC) document as part of their PCI compliance

PCI compliance is required on an annual running calendar year. For example, if you submit your PCI compliance in the month of June, you will need to resubmit PCI compliance in June of the following year. If changes are made to your network, it is best to revisit PCI compliance based on the new environment changes to ensure the security of the environment.

PCI SSC strongly suggests using PCI compliant third­ party partners. Failure to use PCI compliant partners adds additional risk and requirements to become PCI compliant, as well as potential fees and fines.

If you suspect you have been compromised follow these steps:

1. Do not access or remove, turn off or restart the compromised system. Isolate the system from the rest of the network.
2. Disconnect all remote VPN connections into the network.
3. Contact your acquirer as soon as possible to inform them of the potential compromise. Contact your PCI compliance provider as well.
4. Do not destroy or tamper with potential evidence. Hold on to all data drives, systems and devices; do not dispose of anything that might be deemed evidence or part of a potential forensic investigation.