PCI Compliance

CREDIT CARD FRAUD, SECURITY AND PCI COMPLIANCE

Credit card and check fraud costs consumers, merchants and financial institutions $51 billion a year.* If you are already accepting credit cards, or plan to, you are probably well aware of all the advantages accepting credit cards provides for you, by building your business and giving your customers more payment options. The security of cardholder information is important to both your customers and your business.

The Payment Card Industry Data Security Standard (PCI DSS) was created by the five major credit card companies as a guideline to help business owners implement the necessary hardware, software and other procedures to guard sensitive credit card and personal information. PCI DSS is a set of requirements for enhancing payment account data security. PCI compliance means that your business is exhibiting the best practices to prevent cardholder information or data security breaches.

One of the most significant PCI DSS requirements is that merchants may not store magnetic-stripe data after an authorization is obtained on a credit card. So magnetic-stripe data must be purged from your records, and from any system you use, after authorization. Generally, stand-alone dial-up terminals that communicate directly with networks do not store prohibited magnetic-stripe data after authorization. However, if you use payment processing software or have a third-party provider transmit cardholder data, you need to find out about your responsibilities.

The minimum requirement to become PCI compliant is to complete a Payment Card Industry Data Security Standard Self-Assessment Questionnaire (SAQ) on an annual basis and achieve a passing score. If you electronically store cardholder information or if your processing systems have any Internet connectivity, a quarterly scan by an approved scanning vendor is also required.

The length that a PCI compliance certificate is valid depends on whether your business requires a questionnaire and, where applicable, a scan. If your business requires only the questionnaire, the PCI certification is valid for one year. If your business also requires quarterly scans, the PCI certification is valid for three months, at which time your next quarterly scan will be due.

If your business fails to comply with PCI DSS, you should know that you risk substantial fines-and even risk losing your ability to process credit card payments. Elite Merchant Solutions has partnered with a certified company to ensure your business is PCI compliant and help you evaluate the status of your account, to assist with any necessary remediation efforts and to certify your account's PCI compliance..

For more information on credit card acceptance and PCI compliance, please call your sales representative with any questions or concerns.

Frequently Asked Questions by Merchants

1. What is PCI DSS?
The Payment Card Industry Data Security Standards (PCI DSS) is a set of requirements for enhancing payment account data security. These standards were developed by the PCI Security
Standards Council, which was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa International to facilitate industry?wide adoption of consistent data security measures on a global basis.

2. I have never heard of PCI Compliance before, is this new?
No. Merchants have been advised to take the PCI Self?Assessment Questionnaire (SAQ) to identify potential security risks in order to achieve PCI compliance for the past 3 years. This compliance is required by the Card Associations.

3. Am I required to certify for PCI Compliance?
Yes, the payment brands require all acquirers to report on the PCI Compliance of their merchants. If you do not complete the Self?Assessment Questionnaire you may overlook certain data security practices that minimize your risk of a security breach. In the event that your business is compromised, you may be subject to fines of up to $500,000 per payment brand. These fines do not include the expenses or cost of fraudulent transactions resulting from the breach. In addition to avoiding potential fines, PCI Compliance may give your customers confidence that their credit card information is protected at your business.

4. Why do I need to be PCI compliant?
The Card Associations require all acquirers to report on the compliance of their merchants. If a merchant does not complete the self?assessment questionnaire they may overlook certain data security practices that minimize their risk of a security breach. Based on the importance that data security has to the payment processing industry and consumers at large, Merchant Services may also begin imposing a fee for each month that the account has not been validated as PCI compliant or in any given month the account is deemed non?compliant.

5. What am I required to do to become PCI Compliant as a level 4 merchant?
The minimum requirement for a level 4 merchant is to complete a PCI DSS Self?Assessment Questionnaire (SAQ) on an annual basis and achieve a passing score. If you electronically store cardholder information or if your processing systems have any internet connectivity, a quarterly scan by an approved scanning vendor is also required.
Merchant Services has created a complete reference guide on becoming PCI compliant. Our guide breaks compliance into 5 easy steps; Enroll, Comply, Validate, Certify, and Renew. To review the steps in becoming PCI Compliant visit http://www.merchantinsider.com and select the "5 Easy Steps to Become PCI Compliant."

6. How long will it take to obtain PCI Compliance?
The time it takes an individual business to become PCI Compliant can vary based on how the business processes, stores, or transmits cardholder data. On average with Elite Data Processing:

• Enrollment = 5?10 minutes
• Questionnaire A or B = 15?30 minutes
• Questionnaire C or D = 45 minutes or more
• IP Scans = 15 minutes or less*

*Depending on the complexity of your system this process may take additional time.

7. I only process a few hundred dollars a month. Does my merchant account still need to be PCI Compliant?
Yes, all merchants, whether small or large, seasonal or year around, need to be PCI compliant. The payment brands have collectively adopted PCI DSS as the requirement for organizations that process, store or transmit payment cardholder data. Inherent in having a merchant account is the ability to handle cardholder data.

8. My business has multiple locations, is each location required to certify?
If your business locations process under the same Tax ID you are only required to certify once for all locations. If your business locations have different Tax IDs you will need to certify once per Tax ID. To ensure you complete only the necessary certifications, you must verify upon enrollment with Elite Merchant Solutions that each location is linked together.

9. Who should I contact for support in becoming PCI DSS compliant?
Elite Merchant Solutions has partnered with several providers to help you evaluate the status of your account, to assist with any necessary remediation efforts and to certify your accounts PCI compliance. You can reach Elite Merchant Solutions by calling (866) 822-2378 and our staff will direct you in getting started in becoming PCI compliant.

10. What are the hours of operation for Elite Merchant Solutions?
Enrollment with our vendors is generally available Monday thru Friday 4am until 10pm EST. Technical support is available 24/7 to assist with data security concerns. If you chose to use a third party QSA/ASV you should inquire as to their hours of operation.

11. Do I have to use one of our vendors?
No. There are over 130 approved scanning vendors. You are free to choose to certify with any vendor you like. However, if you choose to certify with another vendor you will be responsible for paying the full cost of the PCI Compliance analysis to that vendor and sending a copy of your certification to us. A list of approved vendors is available on the card association web sites or at pcisecuritystandards.org. If you choose to use a third party QSA/ASV you must send us your compliance certification at:
Online: MerchantInsider.com

12. How do I identify myself with "Elite Merchant Solutions" to our vendors?
If you call one of our vendors, you can tell the representative directly. The representative will ask you for the last six digits of your (12?digit) merchant account number, as it appears on your Merchant Services statement.

13. Why should I identify myself with Elite Merchant Solutions?
Elite Merchant Solutions has negotiated preferred rates with our vendors. By identifying yourself as a "Elite Merchant Solution" merchant, you become eligible to receive these preferred rates.

14. Is there a charge for PCI services?
Elite Merchant Solutions has negotiated preferred rates with our vendors. The potential charge will vary depending upon the level of service needed for your account. The cost associated with the questionnaire or quarterly scan, if any, will be provided during enrollment with our vendors.

15. Will there be an additional cost for each of my business locations?
There will not be a separate cost for each location if your business locations process under the same Tax ID number. To ensure you obtain the preferred rates upon enrollment, you must verify upon enrollment with our vendors that each location is linked together. If you have chosen to utilize a third party QSA/ASV you must inquire with them as to pricing for multiple locations.

16. Is there an additional cost for quarterly scans?
For merchants who require quarterly scans, any associated cost will be built into the price quoted upon enrollment with our vendors. If additional IP addresses are added to your business between scans there may be additional costs. You should contact Elite Merchant Solutions or your chosen third party QSA/ASV to discuss what options are available.

17. Will I be provided with anything that I can display to my customers showing that I am a PCI compliant merchant?
Yes. Upon completion of your certification from one of our vendors they will send you a certificate of compliance and if requested, a logo to display on your website. If you have chosen to utilize a third party QSA/ASV you should inquire with them as to what documentation they will provide to you and in what timeframe.

18. What if I have already performed my PCI Compliance self?assessment questionnaire (and applicable quarterly scans)?
If you have been PCI DSS certified within the past several months, Elite Merchant Solutions will validate your responses with the appropriate channels directly or, if you chose to use another approved scan vendor, please submit all of your certification documentation to us so that we know that your account is currently PCI compliant.

19. What if I am required to upgrade my equipment or software to become compliant?
As part of becoming PCI compliant you may be required to upgrade your equipment and/or software to a PCI DSS certified version. You must contact your equipment and/or software vendor to discuss what options may be available and the costs associated with those options, if any. The cost associated with any equipment and/or software upgrade will not be covered by Elite Merchant Solutions or any of our vendors.

20. Can I choose not to certify for PCI Compliance?
No, the payment brands require all acquirers to report on the PCI Compliance of their merchants. If you choose not to complete the self?assessment questionnaire you may overlook certain data security practices that minimize your risk of a security breach. In the event that your business is compromised, you may be subject to fines of up to $500,000 per payment brand. These fines would be in addition to the expenses and fraudulent transactions resulting from the breach.
In light of the importance that data security has to the payment processing industry and consumers at large, Elite Merchant Solutions may also begin imposing a fee for each month that your account has not been validated as PCI compliant or in any given month your account is deemed non?compliant.

21. Can I prevent paying Merchant Service's non?receipt of PCI data validation fee?
Yes. You can prevent this charge by validating your PCI DSS compliance with one of our vendors or an approved third party QSA/ASV on or before the 25th business day of the month your certification or renewal is due. Please refer to the PCI COMPLIANCE VALIDATION UPDATE for additional information located on MerchantInsider.com/pci. If you choose to use one of our vendors they will validate your responses with Merchant Services directly. If you choose to use a third party QSA/ASV you must send us your compliance certification at:
Details of how to certify your business? compliance are described above. Note: You must maintain your compliant status (either quarterly or annually as determined by one of our vendors or another Approved Scan Vendor) once it is obtained in order to prevent this fee in the future.

22. If I change the way in which my business stores, processes, or transmits cardholder data am I required to recertify?
If you change the manner in which you store, process or transmit cardholder data, you may increase the vulnerability of your business and must contact one of our vendors or your chosen third party QSA/ASV for recertification.

23. Is there an additional cost if I change the manner in which my business stores processes or transmits cardholder data?
Based on how you change your processing, there may be an additional charge. To determine what, if any, additional charge may be incurred contact one of our vendors or your chosen third party QSA/ASV.

24. Once my business becomes PCI DSS compliant, does that prevent a security breach from happening?
These actions help prevent security breaches but do not provide a guarantee to your business. If and when you change the manner in which you store, process or transmit cardholder data, you may increase the vulnerability of your business. Also, similar to the regularly required updates to anti?virus and firewall software, data security is also continually subject to new threats. We encourage you to stay up to date on data security requirements. Please visit www.MerchantInsider.com often for updated information regarding PCI DSS compliance.

25. I'm a new merchant. Am I eligible for Elite Merchant Solutions preferred rate through its vendors?
Yes. Our vendors will extend the Merchant Service preferred rate to our new merchants as well. However, it may take up to 6 weeks following the boarding of your account with Elite Merchant Solutions for our vendors? system to recognize your account as a merchant.

26. What is a Qualified Security Assessor (QSA)?
A Qualified Security Assessor or QSA is an organization that that has been qualified by the PCI Security Standards Council. Qualified Security Assessors are employees of these organizations who have been certified by the Council to validate an entity's adherence to the PCI DSS.

27. What is an Approved Scanning Vendor (ASV)?
Approved Scanning Vendors (ASVs) are organizations that validate adherence to certain PCI DSS requirements by performing vulnerability scans of Internet facing environments of merchants and service providers.