Payment Card Industry, Laws and Regulations, Privacy,VAT

Privacy Policy

policy that indicates what kind of information a website will take from you and what they intend to do with it

To whom does the PCI DSS apply

to ANY organization, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data.

Do states have laws requiring data breach notifications to the affected parties?

Absolutely. California is the catalyst for reporting data breaches to affected parties. The state implemented its breach notification law in 2003, and now nearly every state has a similar law in place. As of April 12, 2017, NCSL.org reports: Forty-eight states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private, governmental or educational entities to notify individuals of security breaches of information involving personally identifiable information.

What is the definition of 'merchant'?

For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers.

My company doesn't store credit card data so PCI compliance doesn't apply to us, right?

If you accept credit or debit cards as a form of payment, then PCI compliance applies to you. The storage of card data is risky, so if you don't store card data, then becoming secure and compliant may be easier

Do I need vulnerability scanning to validate compliance?

If you qualify for certain self-assessment Questionnaires (SAQs) or you electronically store cardholder data post authorization, then a quarterly scan by a PCI SSC Approved Scanning Vendor (ASV) is required to maintain compliance. If you qualify for any of the following SAQs under version 3.x of the PCI DSS, then you are required to have a passing ASV scan: SAQ A-EP SAQ B-IP SAQ C SAQ D-Merchant SAQ D-Service Provider Back to Top

My business has multiple locations, is each location required to validate PCI compliance?

If your business locations process under the same Tax ID, then typically you are only required to validate once annually for all locations. And, submit quarterly passing network scans by an PCI SSC Approved Scanning Vendor (ASV) for each location, if applicable.

Are debit card transactions in scope for PCI?

In-scope cards include any debit, credit, and pre-paid cards branded with one of the five card association/brand logos that participate in the PCI SSC - American Express, Discover, JCB, MasterCard, and Visa International.

What are the PCI compliance 'levels' and how are they determined

Merchant Level 1:processing over 6M Visa transactions per year Merchant Level 2:processing 1M to 6M Visa transactions per year Merchant Level 3:processing 20,000 to 1M Visa e-commerce transactions per year Merchant Level 4: processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.

My company wants to store credit card data. What methods can we use?

Most merchants that need to store credit card data are doing it for recurring billing. The best way to store credit card data for recurring billing is by utilizing a third party credit card vault and tokenization provider. By utilizing a vault, the card data is removed from your possession and you are given back a "token" that can be used for the purpose of recurring billing. By using a third party, you move the risk of storing card data to someone who specializes in doing that and has all of the security controls in place to keep the card data safe. If you need to store the card data yourself, your bar for self-assessment is very high and you may need to have a QSA (Qualified Security Assessor) come onsite and perform an audit to ensure that you have all of the controls in place necessary to meet the PCI DSS specifications. https://www.pcicomplianceguide.org/how-can-we-securely-store-credit-card-data-for-recurring-billing/

Am I PCI compliant if I have an SSL certificate?

No. SSL certificates do not secure a web server from malicious attacks or intrusions. High assurance SSL certificates provide the first tier of customer security and reassurance such as the below, but there are other steps to achieve PCI compliance. See Question "What does a small-to-medium sized business (Level 4 merchant) have to do in order to satisfy the PCI requirements?" A secure connection between the customer's browser and the web server Validation that the website operators are a legitimate, legally accountable organization

Can the full credit card number be printed on the consumer's copy of the receipt?

PCI DSS requirement 3.3 states "Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed)." While the requirement does not prohibit printing of the full card number or expiry date on receipts (either the merchant copy or the consumer copy), please note that PCI DSS does not override any other laws that legislate what can be printed on receipts (such as the U.S. Fair and Accurate Credit Transactions Act (FACTA) or any other applicable laws). See the italicized note under PCI DSS requirement 3.3 "Note: This requirement does not supersede stricter requirements in place for displays of cardholder data—for example, legal or payment card brand requirements for point-of-sale (POS) receipts. Any paper receipts stored by merchants must adhere to the PCI DSS, especially requirement 9 regarding physical security"

What if my business refuses to cooperate?

PCI is not, in itself, a law. The standard was created by the major card brands Visa, MasterCard, Discover, AMEX and JCB. At their acquirers'/service providers' discretion, merchants that do not comply with PCI DSS may be subject to fines, card replacement costs, costly forensic audits, brand damage, etc., should a breach event occur. For a little upfront effort and cost to comply with the PCI DSS, you greatly help reduce your risk from facing these extremely unpleasant and costly consequences.

What is PA-DSS

Payment Application Data Security Standard maintained by the PCI Security Standards Council (SSC) to address the critical issue of payment application security. The requirements within the PA-DSS are designed to ensure that vendors provide products which support merchants' efforts to maintain PCI DSS compliance and eliminate the storage of sensitive cardholder data. The PCI SSC administers the program to validate payment applications' compliance against the PA-DSS, and publishes and maintains a list of PA-DSS validated applications https://www.pcisecuritystandards.org/pci_security/

What is a payment gateway?

Payment gateways connect a merchant to the bank or processor that is acting as the front-end connection to the card brands. They are called gateways because they take many inputs from a variety of different applications and route those inputs to the appropriate bank or processor. Gateways communicate with the bank or processor using dial-up connections, web-based connections or privately held leased lines

At the most basic level, an accessible website would have these (and other) accessible elements:

Provides text alternatives for any non-text content; Provides alternatives for time-based media; Includes content that can be presented in different ways without losing information or structure; Is easy to see and hear, including separating foreground from background; Permits all functionality from a keyboard if needed (as opposed to a cursor); Permits sufficient time to read and use content; Is not designed in a way that is known to cause seizures; Includes ways to help users navigate, find content, and determine where they are; Includes text content that is readable and understandable; Operates and appears in predictable ways; Helps users avoid and correct mistakes; and Is compatible with current and future user agents, including assistive web technologies.

What constitutes a Service Provider?

The PCI SSC defines a Service Provider this way: "Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data. This also includes companies that provide services that control or could impact the security of cardholder data." (Source: www.pcisecuritystandards.org) The "merchant as a service provider" role is further specified by the PCI SSC as "a merchant that accepts payment cards as payment for goods and/or services...if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers." https://www.controlscan.com/compliance/service-providers/?utm_source=pcicomplianceguide.org&utm_medium=referral&utm_campaign=pcicg-faqs&webSyncID=99058807-2b05-b961-5b33-51e61811e876&sessionGUID=7562b34e-6b55-bdd1-e5c5-75e0833ad41e https://www.pcicomplianceguide.org/pci-compliance-and-the-service-provider/

What is defined as 'cardholder data'?

The PCI Security Standards Council (SSC) defines 'cardholder data' as the full Primary Account Number (PAN) or the full PAN along with any of the following elements: Cardholder name Expiration date Service code Sensitive Authentication Data, which must also be protected, includes full magnetic stripe data, CAV2, CVC2, CVV2, CID, PINs, PIN blocks and more.

10% Value Added Tax process

The manufacturer spends ($1 x 1.10) = $1.10 for the raw materials, and the seller of the raw materials pays the government $0.10. The manufacturer charges the retailer ($1.20 x 1.10) = $1.32 and pays the government ($0.12 minus $0.10) = $0.02, leaving the same gross margin of ($1.32 - $1.10 - $0.02) = $0.20. The retailer charges the consumer ($1.50 x 1.10) = $1.65 and pays the government ($0.15 minus $0.12) = $0.03, leaving the same gross margin of ($1.65 - $1.32 - $0.03) = $0.30. The manufacturer and retailer realize less gross margin from a percentage perspective. If the cost of raw material production were shown, this would also be true of the raw material supplier's gross margin on a percentage basis. Note that the taxes paid by both the manufacturer and the retailer to the government are 10% of the values added by their respective business practices (e.g. the value added by the manufacturer is $1.20 minus $1.00, thus the tax payable by the manufacturer is ($1.20 - $1.00) × 10% = $0.02).

What are the penalties for non-compliance?

The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine along until it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can be catastrophic to a small business. It is important to be familiar with your merchant account agreement, which should outline your exposure. https://www.pcicomplianceguide.org/how-can-your-pci-compliance-efforts-ultimately-save-your-business-money/

What constitutes a payment application?

The term payment application has a very broad meaning in PCI. A payment application is anything that stores, processes, or transmits card data electronically. This means that anything from a Point of Sale system (e.g., Verifone swipe terminals, ALOHA terminals, etc.) in a restaurant to a Website e-commerce shopping cart (e.g., CreLoaded, osCommerce, etc) are all classified as payment applications. Therefore any piece of software that has been designed to touch credit card data is considered a payment application.

We only do e-commerce. Which SAQ should we use?

This webpage will show the choices based on how the checkout is set up https://www.pcicomplianceguide.org/pci-saq-3-1-e-commerce-options-explained/

What does a small-to-medium sized business (Level 4 merchant) have to do in order to satisfy the PCI DSS requirements?

To satisfy the requirements of PCI, a merchant must complete the following steps: Determine which self-assessment Questionnaire (SAQ) your business should use to validate compliance. See the chart below to help you select. Complete the self-assessment Questionnaire according to the instructions it contains. Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV). Note scanning does not apply to all merchants. It is required for SAQ A-EP, SAQ B-IP, SAQ C, SAQ D-Merchant and SAQ D-Service Provider. Complete the relevant Attestation of compliance in its entirety (located in the SAQ tool). Submit the SAQ, evidence of a passing scan (if applicable), and the Attestation of compliance, along with any other requested documentation, to your acquirer.

What should I do if I'm compromised?

While many payment card data breaches are easily preventable, they can and do still happen to businesses of all sizes. If your small- or mid-sized business has discovered it's been breached, there are many good resources to help you with next steps. We recommend the following: Department of Justice, Best Practices for Victim Response and Reporting of Cyber Incidents PCI Council, Responding to a Data Breach - A How-to Guide for Incident Management Electronic Transactions Association (ETA), Data Breach Response: A Nine-Step Guide for Smaller Merchants

If I only accept credit cards over the phone, does PCI DSS still apply

Yes. All business that store, process or transmit payment cardholder data must be PCI Compliant.

If I'm running a business from my home, am I a serious target for hackers?

Yes. Home users are arguably the most vulnerable simply because they are usually not well protected. Adopting a 'path of least resistance' model, intruders will often zero—in on home users—often exploiting their always-on broadband connections and typical home use programs such as chat, Internet games and P2P file sharing applications. ControlScan's scanning service allows home users and network administrators alike to identify and fix any security vulnerabilities on their desktop or laptop computers.

Do organizations using third-party processors have to be PCI DSS compliant?

Yes. Merely using a third-party company does not exclude a company from PCI DSS compliance. It may cut down on their risk exposure and consequently reduce the effort to validate compliance. However, it does not mean they can ignore the PCI DSS

Payment Card Industry Data Security Standard

a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment

The PCI DSS is administered and managed by the PCI SSC (www.pcisecuritystandards.org)

an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.). It is important to note that the payment brands and acquirers are responsible for enforcing compliance, not the PCI council