If you accept any type of credit cards for your business, whether online or offline, then it effects you. PCI Compliance is short for PCI DSS and defined as “Payment Card Industry Data Security Standard” data security standard. It was created by issuing credit card companies like VISA / MASTERCARD to increase security around cardholder data to reduce fraud and its exposure.
PCI Compliance services are normally provided by your Merchant Credit Card Processing center / bank, and done in different parts both quarterly and annually. If you are unsure if your merchant processing center includes this service, please contact them to find out more as soon as possible, as any companies found to not be PCI Compliant Certified can be charged a monthly non-compliance fee until they pass certification.
PCI Compliance has two main areas:
1. Annual Questionaire: An annual questionnaire they have you fill out related to how you are handling and storing customer CC information. These typically can be handled online via a login they give you, with the majority of questions pertaining to how you handle / store this information at your office location.
If you need assistance filling these out, please open a trouble ticket and include the URL and logins to access this questionnaire. We will review this and get back to you with a quote for consulting to finish this questionnaire for you. Please note: This typically will require a 15 minute phone interview to clarify some items.
2. Website PCI Compliance Scan: If you own a website which you are accepting customer CC info online, you will be required to have your PCI company do a quarterly or bi-annually scan of your website. These reports include all of the areas which they feel need to be improved or addressed as potential security risks, even if you are not storing the customer CC info on your website directly (i.e. using a third party processing gateway like PayPal.com or authorize.net). The report results typically include two subsections:
a. Server Hosting security issues: If you are hosting with us, typically we do all server wide PCI compliance updates at no charge to you, as it helps all of our customers.
b. Website security issues: Website specific PCI updates are handled on a case by case basis, sometimes requiring minor billable updates, sometimes requiring no charges at all, and sometimes requiring us to simply provide you with a report showing an item to be a false positive.
If you are hosting your website with us and need assistance with your PCI Compliance scan of your website, please create a ticket and provide the URL and logins to view your report. We will review this and get back to you on any costs that may be associated with required updates to resolve any PCI non-compliant items (usually designated by a red number RISK 4 to 10).
This analysis process for hosts / website developers involves:
1. Reviewing the report and dissecting into server vs. website specific items.
2. Getting you a quote if necessary on any billable work.
3. Resolving any items and reporting back to you / your PCI company.
4. Reporting any “false positive” which are either inaccurate or have already been patched, with patch version information. This step is usually done via your PCI company website with your logins and can last anywhere from few hours to few days depending on their response time and accuracy of checking the data we provide back.
PLEASE NOTE: While each PCI Compliance company has to adhere to the same standards, each company is slightly different in their testing practices. As such one company may report back no issues or very few which require no billable time, while other companies who are not as thorough on their testing procedures may report back a very high number of inaccurate high risk items that requires much more research / response time with corresponding billable time.
Due to the very high number of inaccurate test results that show as high risk items unnecessarily and the difficulty working with them, any reports from trustwave.com or its affiliates will require a retainer before we can even look at their reports. Please contact us for current pricing and retainer amount.
