WHAT IS PCI COMPLIANCE?
PCI security standards are technical and operational requirements set by the Payment Card
Industry Security Standards Council to protect cardholder data. Major card companies such as
Visa, MasterCard, American Express, and Discover, are responsible for enforcing the security of
cardholder information.
Merchants are responsible for ensuring their equipment, networks, and employees meet the PCI
security standard. PCI Compliance is not optional and is required by all merchants by the card
brands. If the merchant does not become compliant within 90 days of being enrolled in PCI
Toolkit, then they will be charged the PCI Non-Compliance Fee monthly until they become
compliant.
WHY DO MERCHANTS NEED TO BE PCI COMPLIANT?
Every merchant must become compliant within 90 days of their activation date with Stax. The
Self-Assessment Questionnaire (SAQ) is a document used as a validation tool by credit card
merchants and service providers to demonstrate compliance with PCI security standard
requirements. It’s a way to show that the merchant is taking the security measures needed to
keep cardholder data secure.
● It is to be completed annually by each merchant
● The SAQ includes a series of yes-or-no questions that review aspects such as:
○ Cardholder data storage and retention
○ Firewall & password security
SUPPORT
PCI Support is available for merchants at [email protected]
● Merchants can submit questions directly within the PCI Toolkit
○ Help with account access, resetting passwords, linking accounts or AOCs,
vulnerability scan setup, and certification issues.
● Any other concerns, including billing, should be addressed with your Partner’s support
team.
FAQ’s
1. Who does PCI Compliance apply to?
a. PCI applies to ALL organizations or merchants that accept, transmit, or store any
cardholder data.
2. We have merchants with multiple business locations. Is each location required to validate
PCI Compliance?
a. Merchants with multiple locations that all take payments in the same way (CNP for
example) can be linked together so one questionnaire can be used for all
locations
i. In the request, please include the DBA name and MID of the master
account and sub-accounts.
ii. As compliance is at a MID level and varies based on how payments are
processed, this is a manual step to ensure signoff that each sub MID is
processing in the same manner as the AOC you are looking to link it to.
iii. All MIDs need to be compliant for the master account to be considered to
be compliant.
b. It is worth noting that if you are validating once for all locations, all locations will be
subject to a “Failed Questionnaire” if the primary location fails.
3. What is defined as ‘cardholder’ data?
a. Cardholder data is any personally identifiable data associated with a cardholder.
This could be an account number, expiration date, name, address, social security
number, etc.
4. What if a merchant refuses to cooperate?
a. PCI is not, in itself, a law. The standard was created by the major card brands such
as Visa, MasterCard, Discover and AMEX. Merchants that do not comply with PCI
will be subject to a Non-Compliance Fee and could potentially be subject to fines,
card replacement costs, costly forensic audits, brand damage, etc., if a breach
should occur.
5. Where can I find the PCI Data Security Standards (PCI DSS)?
a. The Standard can be found on the PCI SSC’s website
www.pcisecuritystandards.org
6. How long is PCI Compliance valid for?
a. Each questionnaire produces a PCI certificate that is valid for one year.
Vulnerability scans are valid for three months.
7. What is the scan process like for our terminal merchants?
a. The merchant will be able to begin their scan inside the PCI Toolkit. They will need
to retrieve their IP address in order to initiate the scan. After the scan is successful
and validated by the merchant, they will become compliant. At this point, the scan
will automatically run in the background every quarter.
b. If the scan ever fails the merchant will receive an email notifying them to take
action. There is no limit to the amount of failed scans a merchant is allowed to
have on file. If a merchant fails, it’s common for them to implement remediation
steps and scan again to complete the process successfully. If no action is taken, a
failed scan can result in a merchant becoming non-compliant and being billed for
PCI Non-Compliance.
8. What if the information a merchant initially entered in their Business Profile has changed,
do they need to go through the process again?
a. In the case that a merchant has added on something like a terminal after
completing a SAQ C-VT for Card Not Present (CNP) processing, it is recommended
that they re-profile and go through the new Self-Assessment Questionnaire (SAQ)
and scan process.
9. If I have completed compliance with another processor, can that be carried over?
a. Yes, please email a PDF of your compliance from your other processor to
[email protected]. It will be reviewed to verify it is from a valid vendor and
meets our requirements, and if met, uploaded so that your status and renewal
dates are updated accordingly.
Helpful Definitions
PCI - Payment Card Industry
SAQ - Self-Assessment Questionnaire
NCF - Non-Compliance Fee
PCI DSS - Payment Card Industry Data Security Standards
Key Objectives of PCI DSS
● Protecting Cardholder Data
● Maintaining a Secure Network Environment
● Implementing Access Controls
● Regular Monitoring and Testing
● Information Security Policies
Why is it important?
It is required by the card networks (Mastercard, Visa, etc.) to securely accept credit cards and
affects anyone who transmits, stores, and makes use of cardholder data including merchants,
service providers, financial institutions, and POS vendors.
The PCI Toolkit is designed to keep your customer’s information safe and secure with a simplified
online platform. It will help you review your individual requirements around PCI Compliance and
complete your specific questionnaire(s) to achieve Compliance certification.
As part of PCI Toolkit we also include breach insurance, an additional layer of protection
specifically for your business.
● Coverage of $100K per incident (specific to fees leveled and the cost of the audit and
claims process)
○ Employee fraud is included
○ Coverage provided whether merchant is PCI Compliant or not
IMPORTANT
● Once enrolled, you will have 90 days to become compliant.
● PCI Non-Compliance Fees of $54.95 will be assessed each month if you are non-
compliant.
● PCI Platform Fees of $10.00 will be assessed each month for participation in the program
once you are compliant.
Risks of Non-Compliance
● Damage to reputation
● Loss of customer trust / confidence
● Card fraud liability
● Significant chargeback risk
● Penalties, fines, and losses
● Lawsuits
● Inability to continue to process credit card payments