Let us start by clearly stating, we do not charge a monthly or annual PCI compliance fee. We are seeing a trend where processors are charging customers various rates, such as $25 per month or $95 per year. We have personally seen merchant’s statements where these charges are clearly outlined. Most often, the merchant doesn’t know what they are getting for that charge. Frankly, we don’t either. One merchant we visited with two weeks ago had a $95 annual fee. When he called to inquire about it, they simply told him it was mandatory.
Every merchant must comply with the Payment Card Industry (PCI) Data Security Standard (DSS). There are 12 elements in PCI DSS requirements, which are listed in the table immediately below.
There are five Self-Assessment Questionnaire (SAQ) categories. They are noted in the second table below. Download the SAQ to the immediate right of the Description. If you are unsure how to fill this out, please call us or your processor.
If you have any questions, please call us at 877.577.3779 or in DFW 817.237.3827.
PCI Data Security Standard (DSS)
The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational system components included in or connected to cardholder data. If you are a merchant who accepts or processes payment cards, you must comply with the PCI DSS.
PIN entry Device (PeD) Security Requirements
PIN entry Device (PeD) Security RequirementsPCI PED applies to manufacturers who specify and implement device characteristics and management for personal identification number (PIN) entry terminals used for payment card financial transactions. Merchants should use only PIN entry devices that are tested and approved by the PCI SSC. Authorized devices are listed at: www.pcisecuritystandards.org/security_standards/ped/pedapprovallist.html
Payment application Data Security Standard (Pa-DSS)
The PA-DSS is for software developers and integrators of payment applications that store, process or transmit cardholder data as part of authorization or settlement when these applications are sold, distributed or licensed to third parties. Most card brands encourage merchants to use payment applications that are tested and approved by the PCI SSC. Validated applications are listed at: www.pcisecuritystandards.org/security_standards/pa_dss.shtml
The PCI DSS version 1.2 is the global data security standard adopted by the card brands for all organizations that process, store or transmit cardholder data. It consists of common sense steps that mirror best security practices.
Requirement | PCI DSS Requirements |
Build and Maintain a Secure Network | 1. Install and maintain a firewall configuration to protect cardholder data. |
2. Do not use vendor-supplied defaults for system passwords and other security parameters. | |
Protect Cardholder Data | 3. Protect stored cardholder data. |
4. Develop and maintain secure systems and applications. | |
Maintain a Vulnerability Management Program | 5. Use and regularly update anti-virus software or programs. |
6. Develop and maintain secure systems and applications. | |
Implement Strong Access Control Measures | 7. Restrict access to cardholder data by business need-to-know. |
8. Assign a unique ID to each person with computer access. | |
9. Restrict physical access to cardholder data. | |
Regularly Monitor and Test Networks | 10. Track and monitor all access to network resources and cardholder data. |
11. Regularly test security systems and processes. | |
Maintain an Information Security Policy | 12. Maintain a policy that addresses information security for employees and contractors. |
According to payment brand rules, all merchants and their service providers are required to comply with the PCI Data Security Standard in its entirety. There are five SAQ Validation categories, shown briefly in the table below and described in more detail in the following paragraphs. Use the table to gauge the SAQ that applies to your organization, then review the detailed descriptions to ensure you meet all the requirements for that SAQ.
SAQ Validation Type |
Description |
SAQ:V1.2 |
1 |
Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants. |
SAQ A |
2 |
Imprint-only merchants with no electronic cardholder data storage |
SAQ B |
3 |
Stand-alone terminal merchants, no electronic cardholder data storage |
SAQ B |
4 |
Merchants with POS systems connected to the Internet, no electronic cardholder data storage |
SAQ C |
5 |
All other merchants (not included in Types 1-4 above) and all service providers defined by a payment brand as eligible to complete an SAQ. |
SAQ D |
Tools for Assessing Compliance with PCI DSS
The PCI SSC sets the PCI DSS standard, but each card brand has its own program for compliance, validation levels and enforcement. More information about compliance can be found at these links:
- American Express Data Security
- Discover Financial Services
- JCB International
- MasterCard Worldwide
- Visa Inc
Web Resources
PCI Security Standards Council Web site – www.pcisecuritystandards.org
Frequently Asked Questions (FAQ) – www.pcisecuritystandards.org/faq.htm
Webinars – www.pcisecuritystandards.org/news_events/events.shtml
PIN Entry Devices: www.pcisecuritystandards.org/security_standards/ped/pedapprovallist.html
Payment Applications: www.pcisecuritystandards.org/security_standards/pa_dss.shtml
PCI Data Security Standard version 1.2 (PCI DSS)
The Standard: www.pcisecuritystandards.org/tech/download_the_pci_dss.htm
Supporting Documents: www.pcisecuritystandards.org/security_standards/pci_dss_supporting_docs.shtml
Approved Assessors and Scanning Vendors: www.pcisecuritystandards.org/about/resources.shtml
Navigating the Standard: www.pcisecuritystandards.org/security_standards/pci_dss_supporting_docs.shtml
Self-Assessment Questionnaire: www.pcisecuritystandards.org/saq/index.shtml
Glossary: www.pcisecuritystandards.org/security_standards/pci_dss_supporting_docs.shtml
Approved QSAs: www.pcisecuritystandards.org/qsa_asv/find_one.shtml
Approved ASVs: www.pcisecuritystandards.org/qsa_asv/find_one.shtml
PCI Security Standards has created a very informative brochure for download.