SlideShare a Scribd company logo

PCI FAQs and Myths

B
BluePayProcessing

Learn about the importance of PCI compliance.

Business
1 of 14
Download to read offline
PCI FAQS AND MYTHS Presented by BluePay
When your business — no matter its size — began accepting credit card payments, it immediately became a potential target for data thieves. Much more is at risk than your customers’ sensitive information, however. If you aren’t employing the best industry practices to protect that data, your business could face fines, lose the ability to accept credit and debit card payments, and jeopardize its credibility. To help protect consumers’ credit card information from data thieves, the Payment Card Industry Security Standards Council created data security standards that businesses must follow to be in compliance. The cost of noncompliance can be staggering. The bank that processes your payments could be fined $5,000 to $100,000 per month by the credit card companies — amounts likely to be passed along to you — until the business is following the requirements. Your bank also could raise the fees it charges to process your business’s transactions, or stop handling them altogether. (Check your account agreement with the bank.) Your business also might have to cover the cost if the bank has to issue new cards to customers whose data has been compromised — and who could become former customers if there has been a data breach. Finally, your business also may be liable for losses due to fraud and other financial losses. THE IMPORTANCE OF PCI COMPLIANCE PCI FAQS AND MYTHS BLUEPAY | 2
TABLE OF CONTENTS FAQ 1: What are the PCI compliance levels and how are they determined? 4 FAQ 2: My business has multiple locations; is each location required to validate PCI compliance? 5 FAQ 3: Am I PCI compliant if I have an SSL certificate? 6 FAQ 4: What is a vulnerability scan? 7 FAQ 5: Are debit card transactions in scope for PCI? 8 MYTH 1: I’m a small merchant who takes only a handful of cards, so I don’t need PCI. 9 MYTH 2: PCI applies only to e-commerce companies. 10 MYTH 3: I can wait until my business grows. 11 MYTH 4: Outsourcing card processing makes us compliant. 12 MYTH 5: PCI compliance is an IT project. 13 PCI FAQS AND MYTHS BLUEPAY | 3
FAQ 1: WHAT ARE THE PCI COMPLIANCE LEVELS AND HOW ARE THEY DETERMINED? There are four levels of PCI compliance as determined by Visa and Mastercard. These levels are based on the transaction volume (including credit, debit and prepaid) over a 12-month period. Merchants that have been affected by a security breach that resulted in compromised card data may be escalated to the next level. Merchant Level Description LEVEL 1: Any merchant processing more than $6 million Visa and/or Mastercard transactions per year. LEVEL 2: Any merchant processing $1 million to $6 million Visa and/or Mastercard transactions per year. LEVEL 3: Any merchant processing $20,000 to $1 million Visa and/or Mastercard e-commerce transactions per year. LEVEL 4: Any merchant processing less than $20,000 Visa and/or Mastercard e-commerce transactions per year, and all other merchants processing up to $1 million Visa and/or Mastercard transactions per year. PCI FAQS AND MYTHS BLUEPAY | 4
FAQ 2: MY BUSINESS HAS MULTIPLE LOCATIONS; IS EACH LOCATION REQUIRED TO VALIDATE PCI COMPLIANCE? Best practices would be to certify each merchant ID (MID) number individually. Some businesses choose to certify by multiple MID numbers under one entity. However, if multiple locations are certified under one entity and a compromise were to occur, all MID numbers are subject to forensic investigation (versus only the identified MID). PCI FAQS AND MYTHS BLUEPAY | 5
FAQ 3: AM I PCI COMPLIANT IF I HAVE AN SSL CERTIFICATE? As of June 30, 2018, the Payment Card Industry Security Standards Council issued a mandatory security upgrade to disable SSL and early versions of TLS and update systems to TLS 1.2. SSL is no longer allowed for PCI compliance and should be considered permanently broken, from a security perspective. Used widely online, TLS is a cryptopgraphic protocol used to establish a secure communication channel between two systems. Updating to TLS 1.2 is just one piece of the puzzle to becoming PCI compliant. PCI FAQS AND MYTHS BLUEPAY | 6
A vulnerability scan is an automated tool that conducts a nonintrusive scan of a merchant or service provider’s system to remotely review networks and Web applications based on the external-facing Internet protocol (IP) addresses provided by the merchant or service provider. The scan pinpoints vulnerabilities in operating systems, services and devices that could be used by hackers to target the company’s private network. Approved Scanning Vendors (ASVs) do not require the merchant or service provider to install any software on their systems, and no denial-of-service attacks will be performed. The terms ASV and QSA (Qualified Security Assessor) may seem interchangeable, but they are really two separate entities. While the ASV scans websites hosting or processing PCI data, a QSA is a company or an employee of the QSA company that audits PCI environments. FAQ 4: WHAT IS A VULNERABILITY SCAN? PCI FAQS AND MYTHS BLUEPAY | 7
Any debit, credit and prepaid cards branded with one of the five card association/brand logos that participate in the PCI SSC — American Express, Discover, JCB International, Mastercard and Visa — are within scope. FAQ 5: ARE DEBIT CARD TRANSACTIONS IN SCOPE FOR PCI? PCI FAQS AND MYTHS BLUEPAY | 8
Merchants are divided into four categories based on the number of card transactions handled in a 12-month period, but all must meet PCI requirements, regardless of their size-level designation. Smaller merchants do face fewer validation requirements, however. For a Level 4 merchant (processing fewer than $20,000 in e-commerce transactions or up to $1 million in transactions overall), an annual self-assessment questionnaire is recommended and a network scan by an approved vendor is to be performed quarterly if applicable, but the requirements of the bank handling the merchant’s transactions still must be met for the business to be in compliance. MYTH 1: I’M A SMALL MERCHANT WHO TAKES ONLY A HANDFUL OF CARDS, SO I DON’T NEED PCI. PCI FAQS AND MYTHS BLUEPAY | 9
MYTH 2: PCI APPLIES ONLY TO E-COMMERCE COMPANIES. Whether your business handles one transaction or hundreds of credit/debit card purchases per day, it is subject to the PCI Data Security Standards, regardless of whether the transactions are electronic, in person or by phone. The requirements apply to your business if any customer ever pays you directly using a debit or credit card. PCI FAQS AND MYTHS BLUEPAY | 10
MYTH 3: I CAN WAIT UNTIL MY BUSINESS GROWS. As previously noted, a business of any size that processes a credit or debit card transaction is subject to PCI compliance. If you think your business is too small to attract a hacker, consider this: In Ponemon Institute’s annual State of Cybersecurity in Small and Medium-Sized Businesses (SMB) report, 61 percent of the businesses surveyed experienced a cyber attack in 2017. Additionally, 54 percent reported a data breach involving sensitive customer and employee information. Due to these incidents, these companies spent an average of $1,027,053 because of damage or theft of assets. In addition, disruption to normal business operations cost an average of $1,207,965. Source: https://csrps.com/Media/Default/2017%20Reports/2017-Ponemon-State-of-Cybersecurity-in-Small-and-Medium-Sized- Businesses-SMB.pdf PCI FAQS AND MYTHS BLUEPAY | 11
Relying on an outside vendor does not ensure that your business is PCI compliant. Outsourcing could reduce your risk and make it easier to prove that your business is compliant, but much like with paying your taxes to the IRS, relying on an external “expert” does not relieve your accountability. MYTH 4: OUTSOURCING CARD PROCESSING MAKES US COMPLIANT. PCI FAQS AND MYTHS BLUEPAY | 12
Any temptation to shift the entire burden of PCI compliance onto the IT staff could prove costly. While IT can set up, run and test programs, compliance is an ongoing task. Rules change and regular assessments are needed, and with so much at stake from financial and reputation standpoints, your entire organization is affected. MYTH 5: PCI COMPLIANCE IS AN IT PROJECT. PCI FAQS AND MYTHS BLUEPAY | 13
BluePay, Naperville, IL (Note: BluePay has multiple offices nationwide and in Canada; corporate headquarters is in Naperville) www.bluepay.com 866-444-6216 (sales, toll free) 866-739-8324 (U.S. merchant, toll free) BluePay, a First Data company, is a leading provider of technology-enabled payment processing for merchants in the United States and Canada. Through physical POS, online, and mobile interfaces, as well as CRM and ERP software integrations, BluePay processes business-to-consumer and business-to-business payments while providing real-time settlement, reporting, and reconciliation, along with robust security features such as tokenization and point-to-point encryption. BluePay is headquartered in Illinois, with offices in Maryland, Mississippi, New York, and Toronto, Canada. THIS PRESENTATION IS BROUGHT TO YOU BY BLUEPAY.

Recommended

PCI FAQs and Myths - BluePay
PCI FAQs and Myths - BluePayPCI FAQs and Myths - BluePay
PCI FAQs and Myths - BluePayBluePayProcessing
 
How to Start Payment Gateway Business in India
How to Start Payment Gateway Business in IndiaHow to Start Payment Gateway Business in India
How to Start Payment Gateway Business in IndiaMyOnlineCA.in
 
Why the Right Merchant Account is Vital to Business Growth
Why the Right Merchant Account is Vital to Business GrowthWhy the Right Merchant Account is Vital to Business Growth
Why the Right Merchant Account is Vital to Business GrowthInsideUp
 
Everything You Need to Know About Taking Plastic
Everything You Need to Know About Taking PlasticEverything You Need to Know About Taking Plastic
Everything You Need to Know About Taking PlasticBusiness.com
 
MTBiz May-June 2019
MTBiz May-June 2019 MTBiz May-June 2019
MTBiz May-June 2019 Mutual Trust Bank Ltd.
 
[Slideshare] Evolution of B2B Payments
[Slideshare] Evolution of B2B Payments[Slideshare] Evolution of B2B Payments
[Slideshare] Evolution of B2B PaymentsAvidXchangeAutomation
 
Small_Merchant_Guide_to_Safe_Payments
Small_Merchant_Guide_to_Safe_PaymentsSmall_Merchant_Guide_to_Safe_Payments
Small_Merchant_Guide_to_Safe_PaymentsSteve Abrams
 
Deloitte B2B Payments 2015 Report
Deloitte B2B Payments 2015 ReportDeloitte B2B Payments 2015 Report
Deloitte B2B Payments 2015 ReportRichard Miller
 

Recommended

PCI FAQs and Myths - BluePay
PCI FAQs and Myths - BluePayPCI FAQs and Myths - BluePay
PCI FAQs and Myths - BluePayBluePayProcessing
 
How to Start Payment Gateway Business in India
How to Start Payment Gateway Business in IndiaHow to Start Payment Gateway Business in India
How to Start Payment Gateway Business in IndiaMyOnlineCA.in
 
Why the Right Merchant Account is Vital to Business Growth
Why the Right Merchant Account is Vital to Business GrowthWhy the Right Merchant Account is Vital to Business Growth
Why the Right Merchant Account is Vital to Business GrowthInsideUp
 
Everything You Need to Know About Taking Plastic
Everything You Need to Know About Taking PlasticEverything You Need to Know About Taking Plastic
Everything You Need to Know About Taking PlasticBusiness.com
 
MTBiz May-June 2019
MTBiz May-June 2019 MTBiz May-June 2019
MTBiz May-June 2019 Mutual Trust Bank Ltd.
 
[Slideshare] Evolution of B2B Payments
[Slideshare] Evolution of B2B Payments[Slideshare] Evolution of B2B Payments
[Slideshare] Evolution of B2B PaymentsAvidXchangeAutomation
 
Small_Merchant_Guide_to_Safe_Payments
Small_Merchant_Guide_to_Safe_PaymentsSmall_Merchant_Guide_to_Safe_Payments
Small_Merchant_Guide_to_Safe_PaymentsSteve Abrams
 
Deloitte B2B Payments 2015 Report
Deloitte B2B Payments 2015 ReportDeloitte B2B Payments 2015 Report
Deloitte B2B Payments 2015 ReportRichard Miller
 
MensWearhouse_3728
MensWearhouse_3728MensWearhouse_3728
MensWearhouse_3728Bradley Jones
 
Economic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds DissectedEconomic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds Dissectedamiable_indian
 
Payment card industry data security standard 1
Payment card industry data security standard 1Payment card industry data security standard 1
Payment card industry data security standard 1wardell henley
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantMelanie Beam
 
PCI Compliance - How To Keep Your Business Safe From Credit Card Criminals
PCI Compliance - How To Keep Your Business Safe From Credit Card CriminalsPCI Compliance - How To Keep Your Business Safe From Credit Card Criminals
PCI Compliance - How To Keep Your Business Safe From Credit Card CriminalsFit Small Business
 
Business Identity Theft
Business Identity TheftBusiness Identity Theft
Business Identity Theft- Mark - Fullbright
 
Everything You Need to Know About Virtual Credit Cards
Everything You Need to Know About Virtual Credit CardsEverything You Need to Know About Virtual Credit Cards
Everything You Need to Know About Virtual Credit CardsRon Griswold
 
Payment Gateway
Payment GatewayPayment Gateway
Payment GatewayNyros Technologies
 
Factors to Consider While Choosing a Payment Gateway Provider
Factors to Consider While Choosing a Payment Gateway ProviderFactors to Consider While Choosing a Payment Gateway Provider
Factors to Consider While Choosing a Payment Gateway ProviderAlaina Carter
 
Ronghan Group how we works
Ronghan Group how we worksRonghan Group how we works
Ronghan Group how we worksRonghan Group
 
Navigating Payment Processing | Jay Wigdore
Navigating Payment Processing | Jay Wigdore Navigating Payment Processing | Jay Wigdore
Navigating Payment Processing | Jay WigdoreJayWigdore
 
Age Verificationn in the Alcohol industry
Age Verificationn in the Alcohol industry Age Verificationn in the Alcohol industry
Age Verificationn in the Alcohol industry BrandonRuse1
 
Payment Gateway Integration: Growth Strategy for SAAS
Payment Gateway Integration: Growth Strategy for SAASPayment Gateway Integration: Growth Strategy for SAAS
Payment Gateway Integration: Growth Strategy for SAASWayne Akey
 
Introduction to B2B Electronic Payments
Introduction to B2B Electronic PaymentsIntroduction to B2B Electronic Payments
Introduction to B2B Electronic PaymentsGriffin McGahey
 
Mobile payment solutions pp.
Mobile payment solutions pp. Mobile payment solutions pp.
Mobile payment solutions pp. Gary Diego
 
Payment Gateways in Kuwait - 2014 Update
Payment Gateways in Kuwait - 2014 UpdatePayment Gateways in Kuwait - 2014 Update
Payment Gateways in Kuwait - 2014 UpdateBurhan Khalid
 
Fintech - MSME lending score card template for flow based lending
Fintech - MSME lending score card template for flow based lendingFintech - MSME lending score card template for flow based lending
Fintech - MSME lending score card template for flow based lendingFreelancer -Fintech and Blockchain consultant
 
Money Laundering in the Art, Collectibles, and Luxury Goods Industry
Money Laundering in the Art, Collectibles, and Luxury Goods IndustryMoney Laundering in the Art, Collectibles, and Luxury Goods Industry
Money Laundering in the Art, Collectibles, and Luxury Goods IndustryBrandonRuse1
 
Virtual Credit Cards
Virtual Credit Cards Virtual Credit Cards
Virtual Credit Cards OnPay Solutions
 
Payment Gateway History: An interview with the Inventor
Payment Gateway History: An interview with the InventorPayment Gateway History: An interview with the Inventor
Payment Gateway History: An interview with the InventorWayne Akey
 
Pci compliance
Pci compliancePci compliance
Pci compliancepcihghg23
 
PCI Compliance Process
PCI Compliance ProcessPCI Compliance Process
PCI Compliance ProcessBluePayProcessing
 

More Related Content

What's hot

Economic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds DissectedEconomic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds Dissectedamiable_indian
 
Payment card industry data security standard 1
Payment card industry data security standard 1Payment card industry data security standard 1
Payment card industry data security standard 1wardell henley
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantMelanie Beam
 
PCI Compliance - How To Keep Your Business Safe From Credit Card Criminals
PCI Compliance - How To Keep Your Business Safe From Credit Card CriminalsPCI Compliance - How To Keep Your Business Safe From Credit Card Criminals
PCI Compliance - How To Keep Your Business Safe From Credit Card CriminalsFit Small Business
 
Everything You Need to Know About Virtual Credit Cards
Everything You Need to Know About Virtual Credit CardsEverything You Need to Know About Virtual Credit Cards
Everything You Need to Know About Virtual Credit CardsRon Griswold
 
Factors to Consider While Choosing a Payment Gateway Provider
Factors to Consider While Choosing a Payment Gateway ProviderFactors to Consider While Choosing a Payment Gateway Provider
Factors to Consider While Choosing a Payment Gateway ProviderAlaina Carter
 
Ronghan Group how we works
Ronghan Group how we worksRonghan Group how we works
Ronghan Group how we worksRonghan Group
 
Navigating Payment Processing | Jay Wigdore
Navigating Payment Processing | Jay Wigdore Navigating Payment Processing | Jay Wigdore
Navigating Payment Processing | Jay WigdoreJayWigdore
 
Age Verificationn in the Alcohol industry
Age Verificationn in the Alcohol industry Age Verificationn in the Alcohol industry
Age Verificationn in the Alcohol industry BrandonRuse1
 
Payment Gateway Integration: Growth Strategy for SAAS
Payment Gateway Integration: Growth Strategy for SAASPayment Gateway Integration: Growth Strategy for SAAS
Payment Gateway Integration: Growth Strategy for SAASWayne Akey
 
Introduction to B2B Electronic Payments
Introduction to B2B Electronic PaymentsIntroduction to B2B Electronic Payments
Introduction to B2B Electronic PaymentsGriffin McGahey
 
Mobile payment solutions pp.
Mobile payment solutions pp. Mobile payment solutions pp.
Mobile payment solutions pp. Gary Diego
 
Payment Gateways in Kuwait - 2014 Update
Payment Gateways in Kuwait - 2014 UpdatePayment Gateways in Kuwait - 2014 Update
Payment Gateways in Kuwait - 2014 UpdateBurhan Khalid
 
Money Laundering in the Art, Collectibles, and Luxury Goods Industry
Money Laundering in the Art, Collectibles, and Luxury Goods IndustryMoney Laundering in the Art, Collectibles, and Luxury Goods Industry
Money Laundering in the Art, Collectibles, and Luxury Goods IndustryBrandonRuse1
 
Payment Gateway History: An interview with the Inventor
Payment Gateway History: An interview with the InventorPayment Gateway History: An interview with the Inventor
Payment Gateway History: An interview with the InventorWayne Akey
 

What's hot (20)

MensWearhouse_3728
MensWearhouse_3728MensWearhouse_3728
MensWearhouse_3728
 
Economic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds DissectedEconomic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds Dissected
 
Payment card industry data security standard 1
Payment card industry data security standard 1Payment card industry data security standard 1
Payment card industry data security standard 1
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
 
PCI Compliance - How To Keep Your Business Safe From Credit Card Criminals
PCI Compliance - How To Keep Your Business Safe From Credit Card CriminalsPCI Compliance - How To Keep Your Business Safe From Credit Card Criminals
PCI Compliance - How To Keep Your Business Safe From Credit Card Criminals
 
Business Identity Theft
Business Identity TheftBusiness Identity Theft
Business Identity Theft
 
Everything You Need to Know About Virtual Credit Cards
Everything You Need to Know About Virtual Credit CardsEverything You Need to Know About Virtual Credit Cards
Everything You Need to Know About Virtual Credit Cards
 
Payment Gateway
Payment GatewayPayment Gateway
Payment Gateway
 
Factors to Consider While Choosing a Payment Gateway Provider
Factors to Consider While Choosing a Payment Gateway ProviderFactors to Consider While Choosing a Payment Gateway Provider
Factors to Consider While Choosing a Payment Gateway Provider
 
Ronghan Group how we works
Ronghan Group how we worksRonghan Group how we works
Ronghan Group how we works
 
Navigating Payment Processing | Jay Wigdore
Navigating Payment Processing | Jay Wigdore Navigating Payment Processing | Jay Wigdore
Navigating Payment Processing | Jay Wigdore
 
Age Verificationn in the Alcohol industry
Age Verificationn in the Alcohol industry Age Verificationn in the Alcohol industry
Age Verificationn in the Alcohol industry
 
Payment Gateway Integration: Growth Strategy for SAAS
Payment Gateway Integration: Growth Strategy for SAASPayment Gateway Integration: Growth Strategy for SAAS
Payment Gateway Integration: Growth Strategy for SAAS
 
Introduction to B2B Electronic Payments
Introduction to B2B Electronic PaymentsIntroduction to B2B Electronic Payments
Introduction to B2B Electronic Payments
 
Mobile payment solutions pp.
Mobile payment solutions pp. Mobile payment solutions pp.
Mobile payment solutions pp.
 
Payment Gateways in Kuwait - 2014 Update
Payment Gateways in Kuwait - 2014 UpdatePayment Gateways in Kuwait - 2014 Update
Payment Gateways in Kuwait - 2014 Update
 
Fintech - MSME lending score card template for flow based lending
Fintech - MSME lending score card template for flow based lendingFintech - MSME lending score card template for flow based lending
Fintech - MSME lending score card template for flow based lending
 
Money Laundering in the Art, Collectibles, and Luxury Goods Industry
Money Laundering in the Art, Collectibles, and Luxury Goods IndustryMoney Laundering in the Art, Collectibles, and Luxury Goods Industry
Money Laundering in the Art, Collectibles, and Luxury Goods Industry
 
Virtual Credit Cards
Virtual Credit Cards Virtual Credit Cards
Virtual Credit Cards
 
Payment Gateway History: An interview with the Inventor
Payment Gateway History: An interview with the InventorPayment Gateway History: An interview with the Inventor
Payment Gateway History: An interview with the Inventor
 

Similar to PCI FAQs and Myths

Pci compliance
Pci compliancePci compliance
Pci compliancepcihghg23
 
PCI Compliance for Payment Security
PCI Compliance for Payment SecurityPCI Compliance for Payment Security
PCI Compliance for Payment SecurityPaymentAsia
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Merchants
 
PCI_Presentation_OASIS
PCI_Presentation_OASISPCI_Presentation_OASIS
PCI_Presentation_OASISDermot Clarke
 
When does a company need to be PCI compliant
When does a company need to be PCI compliantWhen does a company need to be PCI compliant
When does a company need to be PCI compliantDivya Kothari
 
Introduction To SAQ 4 U
Introduction To SAQ 4 UIntroduction To SAQ 4 U
Introduction To SAQ 4 URAlcala65
 
How Credit Card Processing Works
How Credit Card Processing WorksHow Credit Card Processing Works
How Credit Card Processing WorksBusiness.com
 
Merchant Services Audit 03 2011
Merchant Services Audit 03 2011Merchant Services Audit 03 2011
Merchant Services Audit 03 2011carolta555
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperShaun O'keeffe
 
Symbiotic Consulting Group LLC - PCI Compliance Overview
Symbiotic Consulting Group LLC - PCI Compliance OverviewSymbiotic Consulting Group LLC - PCI Compliance Overview
Symbiotic Consulting Group LLC - PCI Compliance OverviewRosy Kaur
 
Online_Transactions_PCI
Online_Transactions_PCIOnline_Transactions_PCI
Online_Transactions_PCIKelly Lam
 
PCI compliance and fraud prevention for non profits
PCI compliance and fraud prevention for non profitsPCI compliance and fraud prevention for non profits
PCI compliance and fraud prevention for non profitsNetSquared Vancouver
 
PCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should carePCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should careSean D. Goodwin
 
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Stephanie Gutowski
 

Similar to PCI FAQs and Myths (20)

Pci compliance
Pci compliancePci compliance
Pci compliance
 
PCI Compliance Process
PCI Compliance ProcessPCI Compliance Process
PCI Compliance Process
 
PCI Compliance for Payment Security
PCI Compliance for Payment SecurityPCI Compliance for Payment Security
PCI Compliance for Payment Security
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain Media
 
PCI compliance
PCI compliancePCI compliance
PCI compliance
 
Evolution Pci For Pod1
Evolution Pci For Pod1Evolution Pci For Pod1
Evolution Pci For Pod1
 
PCI_Presentation_OASIS
PCI_Presentation_OASISPCI_Presentation_OASIS
PCI_Presentation_OASIS
 
When does a company need to be PCI compliant
When does a company need to be PCI compliantWhen does a company need to be PCI compliant
When does a company need to be PCI compliant
 
Introduction To SAQ 4 U
Introduction To SAQ 4 UIntroduction To SAQ 4 U
Introduction To SAQ 4 U
 
How Credit Card Processing Works
How Credit Card Processing WorksHow Credit Card Processing Works
How Credit Card Processing Works
 
Merchant Services Audit 03 2011
Merchant Services Audit 03 2011Merchant Services Audit 03 2011
Merchant Services Audit 03 2011
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - Whitepaper
 
Requirement of PCI-DSS in India.
Requirement of PCI-DSS in India.Requirement of PCI-DSS in India.
Requirement of PCI-DSS in India.
 
Symbiotic Consulting Group LLC - PCI Compliance Overview
Symbiotic Consulting Group LLC - PCI Compliance OverviewSymbiotic Consulting Group LLC - PCI Compliance Overview
Symbiotic Consulting Group LLC - PCI Compliance Overview
 
Online_Transactions_PCI
Online_Transactions_PCIOnline_Transactions_PCI
Online_Transactions_PCI
 
What Everybody Ought to Know About PCI DSS and PA-DSS
What Everybody Ought to Know About PCI DSS and PA-DSSWhat Everybody Ought to Know About PCI DSS and PA-DSS
What Everybody Ought to Know About PCI DSS and PA-DSS
 
PCI compliance and fraud prevention for non profits
PCI compliance and fraud prevention for non profitsPCI compliance and fraud prevention for non profits
PCI compliance and fraud prevention for non profits
 
Financial Fitness February 2016
Financial Fitness February 2016Financial Fitness February 2016
Financial Fitness February 2016
 
PCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should carePCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should care
 
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
 

Recently uploaded

Organizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessOrganizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessSeta Wicaksana
 
Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Kirill Klimov
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...lizamodels9
 
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdfNewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdfKhaled Al Awadi
 
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCRashishs7044
 
Future Of Sample Report 2024 | Redacted Version
Future Of Sample Report 2024 | Redacted VersionFuture Of Sample Report 2024 | Redacted Version
Future Of Sample Report 2024 | Redacted VersionMintel Group
 
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu MenzaYouth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menzaictsugar
 
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607dollysharma2066
 
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfIntro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfpollardmorgan
 
MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?Olivia Kresic
 
Marketing Management Business Plan_My Sweet Creations
Marketing Management Business Plan_My Sweet CreationsMarketing Management Business Plan_My Sweet Creations
Marketing Management Business Plan_My Sweet Creationsnakalysalcedo61
 
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCR8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCRashishs7044
 
Case study on tata clothing brand zudio in detail
Case study on tata clothing brand zudio in detailCase study on tata clothing brand zudio in detail
Case study on tata clothing brand zudio in detailAriel592675
 
Market Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 EditionMarket Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 EditionMintel Group
 
The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024christinemoorman
 
India Consumer 2024 Redacted Sample Report
India Consumer 2024 Redacted Sample ReportIndia Consumer 2024 Redacted Sample Report
India Consumer 2024 Redacted Sample ReportMintel Group
 
BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,noida100girls
 
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In.../:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...lizamodels9
 
Call Girls In Connaught Place Delhi ❤️88604**77959_Russian 100% Genuine Escor...
Call Girls In Connaught Place Delhi ❤️88604**77959_Russian 100% Genuine Escor...Call Girls In Connaught Place Delhi ❤️88604**77959_Russian 100% Genuine Escor...
Call Girls In Connaught Place Delhi ❤️88604**77959_Russian 100% Genuine Escor...lizamodels9
 

Recently uploaded (20)

Organizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessOrganizational Structure Running A Successful Business
Organizational Structure Running A Successful Business
 
Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
 
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdfNewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
 
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
 
Future Of Sample Report 2024 | Redacted Version
Future Of Sample Report 2024 | Redacted VersionFuture Of Sample Report 2024 | Redacted Version
Future Of Sample Report 2024 | Redacted Version
 
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu MenzaYouth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
Youth Involvement in an Innovative Coconut Value Chain by Mwalimu Menza
 
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
(Best) ENJOY Call Girls in Faridabad Ex | 8377087607
 
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfIntro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
 
MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?
 
Marketing Management Business Plan_My Sweet Creations
Marketing Management Business Plan_My Sweet CreationsMarketing Management Business Plan_My Sweet Creations
Marketing Management Business Plan_My Sweet Creations
 
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCR8447779800, Low rate Call girls in Tughlakabad Delhi NCR
8447779800, Low rate Call girls in Tughlakabad Delhi NCR
 
Corporate Profile 47Billion Information Technology
Corporate Profile 47Billion Information TechnologyCorporate Profile 47Billion Information Technology
Corporate Profile 47Billion Information Technology
 
Case study on tata clothing brand zudio in detail
Case study on tata clothing brand zudio in detailCase study on tata clothing brand zudio in detail
Case study on tata clothing brand zudio in detail
 
Market Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 EditionMarket Sizes Sample Report - 2024 Edition
Market Sizes Sample Report - 2024 Edition
 
The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024
 
India Consumer 2024 Redacted Sample Report
India Consumer 2024 Redacted Sample ReportIndia Consumer 2024 Redacted Sample Report
India Consumer 2024 Redacted Sample Report
 
BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
BEST Call Girls In Old Faridabad ✨ 9773824855 ✨ Escorts Service In Delhi Ncr,
 
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In.../:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
 
Call Girls In Connaught Place Delhi ❤️88604**77959_Russian 100% Genuine Escor...
Call Girls In Connaught Place Delhi ❤️88604**77959_Russian 100% Genuine Escor...Call Girls In Connaught Place Delhi ❤️88604**77959_Russian 100% Genuine Escor...
Call Girls In Connaught Place Delhi ❤️88604**77959_Russian 100% Genuine Escor...
 

PCI FAQs and Myths

  • 1. PCI FAQS AND MYTHS Presented by BluePay
  • 2. When your business — no matter its size — began accepting credit card payments, it immediately became a potential target for data thieves. Much more is at risk than your customers’ sensitive information, however. If you aren’t employing the best industry practices to protect that data, your business could face fines, lose the ability to accept credit and debit card payments, and jeopardize its credibility. To help protect consumers’ credit card information from data thieves, the Payment Card Industry Security Standards Council created data security standards that businesses must follow to be in compliance. The cost of noncompliance can be staggering. The bank that processes your payments could be fined $5,000 to $100,000 per month by the credit card companies — amounts likely to be passed along to you — until the business is following the requirements. Your bank also could raise the fees it charges to process your business’s transactions, or stop handling them altogether. (Check your account agreement with the bank.) Your business also might have to cover the cost if the bank has to issue new cards to customers whose data has been compromised — and who could become former customers if there has been a data breach. Finally, your business also may be liable for losses due to fraud and other financial losses. THE IMPORTANCE OF PCI COMPLIANCE PCI FAQS AND MYTHS BLUEPAY | 2
  • 3. TABLE OF CONTENTS FAQ 1: What are the PCI compliance levels and how are they determined? 4 FAQ 2: My business has multiple locations; is each location required to validate PCI compliance? 5 FAQ 3: Am I PCI compliant if I have an SSL certificate? 6 FAQ 4: What is a vulnerability scan? 7 FAQ 5: Are debit card transactions in scope for PCI? 8 MYTH 1: I’m a small merchant who takes only a handful of cards, so I don’t need PCI. 9 MYTH 2: PCI applies only to e-commerce companies. 10 MYTH 3: I can wait until my business grows. 11 MYTH 4: Outsourcing card processing makes us compliant. 12 MYTH 5: PCI compliance is an IT project. 13 PCI FAQS AND MYTHS BLUEPAY | 3
  • 4. FAQ 1: WHAT ARE THE PCI COMPLIANCE LEVELS AND HOW ARE THEY DETERMINED? There are four levels of PCI compliance as determined by Visa and Mastercard. These levels are based on the transaction volume (including credit, debit and prepaid) over a 12-month period. Merchants that have been affected by a security breach that resulted in compromised card data may be escalated to the next level. Merchant Level Description LEVEL 1: Any merchant processing more than $6 million Visa and/or Mastercard transactions per year. LEVEL 2: Any merchant processing $1 million to $6 million Visa and/or Mastercard transactions per year. LEVEL 3: Any merchant processing $20,000 to $1 million Visa and/or Mastercard e-commerce transactions per year. LEVEL 4: Any merchant processing less than $20,000 Visa and/or Mastercard e-commerce transactions per year, and all other merchants processing up to $1 million Visa and/or Mastercard transactions per year. PCI FAQS AND MYTHS BLUEPAY | 4
  • 5. FAQ 2: MY BUSINESS HAS MULTIPLE LOCATIONS; IS EACH LOCATION REQUIRED TO VALIDATE PCI COMPLIANCE? Best practices would be to certify each merchant ID (MID) number individually. Some businesses choose to certify by multiple MID numbers under one entity. However, if multiple locations are certified under one entity and a compromise were to occur, all MID numbers are subject to forensic investigation (versus only the identified MID). PCI FAQS AND MYTHS BLUEPAY | 5
  • 6. FAQ 3: AM I PCI COMPLIANT IF I HAVE AN SSL CERTIFICATE? As of June 30, 2018, the Payment Card Industry Security Standards Council issued a mandatory security upgrade to disable SSL and early versions of TLS and update systems to TLS 1.2. SSL is no longer allowed for PCI compliance and should be considered permanently broken, from a security perspective. Used widely online, TLS is a cryptopgraphic protocol used to establish a secure communication channel between two systems. Updating to TLS 1.2 is just one piece of the puzzle to becoming PCI compliant. PCI FAQS AND MYTHS BLUEPAY | 6
  • 7. A vulnerability scan is an automated tool that conducts a nonintrusive scan of a merchant or service provider’s system to remotely review networks and Web applications based on the external-facing Internet protocol (IP) addresses provided by the merchant or service provider. The scan pinpoints vulnerabilities in operating systems, services and devices that could be used by hackers to target the company’s private network. Approved Scanning Vendors (ASVs) do not require the merchant or service provider to install any software on their systems, and no denial-of-service attacks will be performed. The terms ASV and QSA (Qualified Security Assessor) may seem interchangeable, but they are really two separate entities. While the ASV scans websites hosting or processing PCI data, a QSA is a company or an employee of the QSA company that audits PCI environments. FAQ 4: WHAT IS A VULNERABILITY SCAN? PCI FAQS AND MYTHS BLUEPAY | 7
  • 8. Any debit, credit and prepaid cards branded with one of the five card association/brand logos that participate in the PCI SSC — American Express, Discover, JCB International, Mastercard and Visa — are within scope. FAQ 5: ARE DEBIT CARD TRANSACTIONS IN SCOPE FOR PCI? PCI FAQS AND MYTHS BLUEPAY | 8
  • 9. Merchants are divided into four categories based on the number of card transactions handled in a 12-month period, but all must meet PCI requirements, regardless of their size-level designation. Smaller merchants do face fewer validation requirements, however. For a Level 4 merchant (processing fewer than $20,000 in e-commerce transactions or up to $1 million in transactions overall), an annual self-assessment questionnaire is recommended and a network scan by an approved vendor is to be performed quarterly if applicable, but the requirements of the bank handling the merchant’s transactions still must be met for the business to be in compliance. MYTH 1: I’M A SMALL MERCHANT WHO TAKES ONLY A HANDFUL OF CARDS, SO I DON’T NEED PCI. PCI FAQS AND MYTHS BLUEPAY | 9
  • 10. MYTH 2: PCI APPLIES ONLY TO E-COMMERCE COMPANIES. Whether your business handles one transaction or hundreds of credit/debit card purchases per day, it is subject to the PCI Data Security Standards, regardless of whether the transactions are electronic, in person or by phone. The requirements apply to your business if any customer ever pays you directly using a debit or credit card. PCI FAQS AND MYTHS BLUEPAY | 10
  • 11. MYTH 3: I CAN WAIT UNTIL MY BUSINESS GROWS. As previously noted, a business of any size that processes a credit or debit card transaction is subject to PCI compliance. If you think your business is too small to attract a hacker, consider this: In Ponemon Institute’s annual State of Cybersecurity in Small and Medium-Sized Businesses (SMB) report, 61 percent of the businesses surveyed experienced a cyber attack in 2017. Additionally, 54 percent reported a data breach involving sensitive customer and employee information. Due to these incidents, these companies spent an average of $1,027,053 because of damage or theft of assets. In addition, disruption to normal business operations cost an average of $1,207,965. Source: https://csrps.com/Media/Default/2017%20Reports/2017-Ponemon-State-of-Cybersecurity-in-Small-and-Medium-Sized- Businesses-SMB.pdf PCI FAQS AND MYTHS BLUEPAY | 11
  • 12. Relying on an outside vendor does not ensure that your business is PCI compliant. Outsourcing could reduce your risk and make it easier to prove that your business is compliant, but much like with paying your taxes to the IRS, relying on an external “expert” does not relieve your accountability. MYTH 4: OUTSOURCING CARD PROCESSING MAKES US COMPLIANT. PCI FAQS AND MYTHS BLUEPAY | 12
  • 13. Any temptation to shift the entire burden of PCI compliance onto the IT staff could prove costly. While IT can set up, run and test programs, compliance is an ongoing task. Rules change and regular assessments are needed, and with so much at stake from financial and reputation standpoints, your entire organization is affected. MYTH 5: PCI COMPLIANCE IS AN IT PROJECT. PCI FAQS AND MYTHS BLUEPAY | 13
  • 14. BluePay, Naperville, IL (Note: BluePay has multiple offices nationwide and in Canada; corporate headquarters is in Naperville) www.bluepay.com 866-444-6216 (sales, toll free) 866-739-8324 (U.S. merchant, toll free) BluePay, a First Data company, is a leading provider of technology-enabled payment processing for merchants in the United States and Canada. Through physical POS, online, and mobile interfaces, as well as CRM and ERP software integrations, BluePay processes business-to-consumer and business-to-business payments while providing real-time settlement, reporting, and reconciliation, along with robust security features such as tokenization and point-to-point encryption. BluePay is headquartered in Illinois, with offices in Maryland, Mississippi, New York, and Toronto, Canada. THIS PRESENTATION IS BROUGHT TO YOU BY BLUEPAY.