Payment Card Industry Data Security Standards (PCI DSS) FAQs

• Do I need to do anything to become registered?

  No. As a valued merchant customer, you are automatically registered in the PCI DSS Program with our third-party PCI compliance administrator, Security Metrics^®. You still need to become PCI DSS compliant. You can open an account with SecurityMetrics, and complete compliance requirements online.

• Do all processors provide the type of PCI benefits that you provide?

  Not necessarily. Other processors may mandate compliance, charge a high fee and provide little or no support. Some may even require you to seek compliance on your own. It‘s important to work with a processor that provides a source to ensure you meet all PCI DSS requirements to help protect you and your customers’ data.

• How much does the PCI DSS Program cost?

  The cost for all of the PCI DSS Program benefits is only $90 per account, per year, regardless of the size of your business. Most credit card processors are charging much more for little or no additional protection.

• What if I was previously enrolled in the PCI DSS Program through SecurityMetrics?

  Contact SecurityMetrics to update your annual compliance certificate prior to your anniversary expiration date. SecurityMetrics will send you reminders prior to expiration.

• What is PCI DSS?

  PCI DSS stands for Payment Card Industry Data Security Standards (PCI DSS). PCI DSS is a set of rules established by the PCI Security Standards Council and enforced by the credit card associations (Visa®, Mastercard®, Discover®, etc.) to help avoid breaches and protect consumers from compromises of personal data and credit card numbers.

• Why do I need to be PCI DSS compliant?

  It is a requirement of the credit card associations (Visa, Mastercard, Discover, etc.) of all processors and businesses that accept credit cards. It is an effort to protect you and your customers’ sensitive data.

• Why is PCI DSS compliance so important?

  Data breaches are costing credit card associations billions of dollars a year, which affects your rates. Credit card association and regulatory fines are costly. PCI compliance is a continuous process requiring diligent attention.

• What happens when a compromise is suspected?

  If a breach is suspected, the card associations may require an independent PCI DSS certified forensics security examiner to inspect merchant business security practices. This examination is performed at your expense and may take several days or weeks.

• What happens during an inspection?

  Security policies are thoroughly reviewed and evaluated. Phone lines, computers, modems, routers, servers, workstations, firewalls, software and virus protection are thoroughly inspected. Network service and IP connections are manually tested for security weaknesses.

• Can I call someone to get started?

  Absolutely. If you'd like to talk to someone, please call 1-800-437-0712 and choose Option 8. A SecurityMetrics representative will guide you on the steps you need to take to become PCI DSS compliant.

• What is a data breach and how does it happen?

  Millions of electronic credit card records are stolen every year and nearly all data losses are the result of hackers finding and exploiting relatively well-known and understood weaknesses (vulnerabilities) in websites, servers or networks. Breaches can also be the result of human error, e.g., lost laptops, inadvertent posting of data online, misplaced data, etc.

• Don't breaches affect only larger businesses?

  No. In fact, hackers and thieves know larger business typically have more resources to spend on data security systems, so they are more likely to target smaller merchants.

• Do all merchant processors require PCI DSS compliance?

  Yes, the credit card associations require processing companies and their customers to be PCI DSS compliant.

• What if I've verified compliance with an assessor other than SecurityMetrics?

  You will still be automatically registered and billed once a year. Even if you are compliant with another vendor, you need to be compliant with SecurityMetrics to avoid a monthly noncompliance fee. As a result, you may choose to cancel services with your other PCI provider.

• What if I've previously sent you a questionnaire that was found online?

  Online questionnaires are no longer acceptable. For your protection, we require that a Qualified Security Assessor (QSA) verify your compliance with PCI DSS standards and certify that you have performed the appropriate self-assessment questionnaire. SecurityMetrics provides you with a source to do so.