Simplify Payment Compliance | PCI Level 1 Partner | CSG

Simplify Payment Compliance | PCI Level 1 Partner | CSG | Forte

PCI Compliance

Simplify PCI compliance. Protect every payment.

Stay focused on your business while CSG Payments helps you navigate the Payments Card Industry Data Security Standard (PCI DSS) with confidence and control.

Get Started

Why PCI matters

96%

of all breaches hit small businesses

75%

of breaches that happen while data is in transit, not at rest

$5-100K

monthly fines for PCI violations by card brands

What are PCI standards, and why do they matter?

PCI standards exist to protect cardholder data every time a customer pays you with a credit or debit card. This is a worldwide requirement backed by all major card brands, not just a recommendation or an optional best practice. In short, PCI is about protecting your customers’ payment data and shielding your business from avoidable risk.

About PCI DSS

In 2006, the major card brands (Visa, Mastercard, Discover, American Express, and JCB) formed the PCI Security Standards Council (PCI SSC) to create globally applicable PCI DSS. If you store, process, or transmit cardholder data, PCI DSS applies to you—no matter your size, industry, or location.

Who needs to be PCI compliant?

Credit card payments

If you accept card payments in person, online, or by phone.

Payment terminal

If you use a payment terminal, virtual terminal, POS system, or e-commerce site.

Stored information

If you rely on recurring billing or stored account information.

Capabilities

Making compliance easier with CSG Payments

CSG Payments is a PCI DSS Level 1 service provider, offering secure payment solutions and programs that support your compliance efforts without changing the core requirements you must meet.

Here are three paths to achieve PCI-DSS compliance:

Learn More

CSG Forte PCI-DSS Compliance Program

CSG Forte offers an optional PCI-DSS Compliance Program designed to simplify how merchants validate compliance. Through partnerships with a primary and secondary PCI vendor—each serving as both an Approved Scanning Vendor (ASV) and a Qualified Security Assessor (QSA)—the program provides easy-to-use, low-cost tools for small and medium businesses.

For a monthly fee of $7.99, which appears on your regular invoice, participating merchants receive:

Breach insurance and remediation services
Online instruction and assistance with registration and completion of the required PCI online questionnaire (validated annually)
Individualized responses to questions related to completing that questionnaire
Notification of PCI compliant status
Ongoing monthly vulnerability scans of your systems

To participate in the CSG Forte PCI-DSS Compliance Program, fill out this form or contact CSG Forte customer service for current enrollment information.

A PCI non-compliance fee of $29.99 will be assessed on merchant accounts found to be non-compliant until compliance is achieved.

The real risk of doing nothing

Choosing not to address PCI compliance doesn’t make the risk go away. In fact, it moves more risk onto your business.

The PCI council itself doesn’t police compliance, but the payment brands and acquiring banks do through their own programs and deadlines.

Potential consequences of non-compliance include:

Reputational & revenue damage

Brand and financial damage after PCI data is compromised.

Non-compliance penalties

Fines from card brands to your acquiring bank.

Risk losing payment access

Increased bank transaction fees, fines, or even having your merchant account terminated.

Why compliance is worth it

For many merchants, especially smaller organizations, PCI DSS can feel confusing or burdensome at first. But it gives you an actionable framework for:

Preventing security incidents
Detecting suspicious activity
Responding effectively to problems

Done right, PCI compliance helps you:

Protect customers’ payment information and keep their trust
Reduce the chance and impact of a data compromise
Avoid long-term financial and reputational damage to your business

You’ve worked hard to build your business. PCI compliance is one of the most effective ways to secure your customers’ card data and your long-term success.

Secure your success. Protect your customers.

Let CSG Forte help you simplify PCI compliance and strengthen your overall security posture.

Learn More

Busting common PCI myths

Even if you never store cardholder data, it can still be stolen during transmission or manual entry. PCI standards are designed to close those gaps, not just protect databases.

PCI compliance program

CSG Forte operates as a PCI DSS Level 1 service provider and also maintains ISO 27001, SOC 1 Type II, HIPAA-aligned controls, and Nacha Preferred Partner status—so you’re working with a partner built for regulated environments.

Explore Our Trust Center

‍‍Protect every card, every time.

Your customers trust you with their payment information.

PCI compliance is how you repay that trust and protect the business you’ve built.

If you are interested in taking advantage of CSG Forte’s PCI DSS Compliance Program, please click on the following link to complete the Aperia Enrollment Form, or contact our Customer Service, Monday – Friday 7AM to 7 PM at 866.290.5400 (Option 2) or email pci@forte.net.

Related resources

Blog

PCI Compliance Guide

PCI compliance requires your organization to meet security standards when accepting consumer credit card payments. Leverage CSG Forte's secure payment solution.

Frequently asked questions

PCI DSS is all about protecting card holder data. Prior to 2006, all of the major card brands (Visa, Mastercard, Discover, American Express and JCB) each had their own security requirements. In 2006, they decided there needed to be consistency in security requirements across the playing field. As a result, they created a group called the PCI SSC. The council was tasked with creating a single, system-wide standard that would apply to all merchants, members, and service providers globally. PCI DSS states that PCI Data Security Requirements apply to all members, merchants, and service providers that store, process, or transmit cardholder data.

As a merchant, you have three different options for becoming compliant. You may review these options at the top of the page. However you choose to become compliant, the process entails three steps: ‍ 1. Successfully complete a self-assessment questionnaire (SAQ) 2. Complete an attestation of compliance (AOC). 3. Complete/arrange quarterly network scans (if applicable) If you do not become compliant via one of the methods suggested, please note that a monthly non-compliance fee of $29.99 will remain on your merchant account. If you have already validated, please provide your SAQ and AOC, as well as proof of passing scan, if applicable, to pci@forte.net or fax the document to (469) 342-8010. At any point, you can reach out to CSG’s customer service team to discuss your choices. Our staff can help you understand the available options and answer any additional questions about getting started.

Yes. The growth and retention solutions including Validate, Validate+, and Authenticate are available as standalone services and can be used alongside an existing payment processor. Organizations do not need to migrate their full processing relationship to beneThe PCI SSC encourages all businesses that store, process or transmit payment account data to comply with PCI DSS. This can help reduce the brand and financial risks associated with account payment data compromises. The council does not manage compliance programs, nor do they impose any consequences for non-compliance. However, individual payment brands may have their own compliance initiatives. These may include financial or operational consequences to certain businesses that are not compliant. The payment brands may, at their discretion, fine an acquiring bank anywhere from $5,000 to $100,000 per month for PCI compliance violations. Most banks will pass this fine along until it reaches the merchant. The banks are also likely to terminate your relationship or increase transaction fees. Penalties are not openly discussed or widely publicized, but they can be truly catastrophic to a small business.

Fit from account validation, making adoption low-risk and incremental.

Especially for smaller organizations, this may seem like a lot of effort and be quite confusing. The standard provides an actionable framework for developing robust account data security processes, including preventing, detecting, and reacting to security incidents. To reduce the risk of compromise and to mitigate any impact should it occur, it is imperative that all entities storing, processing, or transmitting cardholder data be compliant. Compliance with DSS can bring major benefits to businesses of all sizes. Failure to comply can have serious and long-term negative consequences. You’ve worked hard to build your business. Secure both your success and your customers’ payment card data. Your customers depend on you to keep their information safe. Repay their trust with PCI DSS compliance.

There are eight versions of the SAQ. We recommend that a merchant go through the process to determine for certain which version is most appropriate for their business and cardholder data environment. ‍SAQ A ‍Card-not-present merchants (e-commerce or mail/telephone order), that have fully outsourced all cardholder data functions to PCI DSS-compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Not applicable to face-to-face channels. ‍SAQ A-EP ‍E-commerce merchants who outsource all payment processing to PCI DSS-validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No storage, processing, or transmission of cardholder data on merchant’s systems or premises. Applicable only to e-commerce channels. ‍SAQ B ‍Merchants using only: 1. Imprint machines with no electronic cardholder data storage, and/or 2. Standalone, dial-out terminals with no electronic cardholder data storage. Not applicable to e-commerce channels. ‍SAQ B-IP ‍Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor with no electronic cardholder data storage. Not applicable to e-commerce channels. ‍SAQ C-VT ‍Merchants who manually enter a single transaction at a time via a keyboard into an internet-based, virtual payment terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage. Not applicable to e-commerce channels. ‍SAQ C ‍Merchants with payment application systems connected to the internet, no electronic cardholder data storage. Not applicable to e-commerce channels. ‍SAQ P2PE ‍Online merchants using only hardware payment terminals included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage. Not applicable to e-commerce merchants. ‍ ‍SAQ D ‍SAQ D for merchants: All merchants not included in descriptions for the above SAQ types. ‍SAQ D for service providers: All service providers defined by a payment brand as eligible to complete an SAQ.

You can choose to outsource some or all of your payment processing to a service provider or software application vendor. When you outsource processing to a service provider, you will use their system; when you outsource to an application vendor, you will host their software on your own system. Outsourcing the storage, processing, or transmission of cardholder data may remove some or all of the scope from an organization as it can lift part of the compliance burden.

Just because a merchant doesn’t store cardholder data doesn’t mean it cannot be stolen. Hackers now install malicious software that monitors credit card information as it is manually keyed in or swiped. If you use a virtual terminal solution, payment application, integrated POS system, or are an e-commerce merchant, there is a moment during transmittance when card data is not encrypted. Hackers try to steal stored credit card data by exploiting that moment of weakness. In fact, 75% of breaches in 2011 occurred not from storing PCI, but during PCI transmission. Broadband connections can increase this risk.

Cybercriminals will hunt smaller, easier targets that provide them with a steady stream of data to compromise. In fact, 96% of all breaches occur within small businesses. And when it happens, it takes almost six full months on average before the fraud is detected. In one instance, a hacker wasn’t found until four years later. In that time, a merchant processing only 10 transactions a week could have fallen victim to 2,080 fraudulent transactions over a four-year period.

No. We reviewed over a dozen QSAs and determined that the PCI vendors we have partnered with are best suited to our merchant base. There are currently over 260 QSAs worldwide that provide similar services. See the full list here: PCI Security Standards ‍Not all QSAs perform the exact same services. Many offer (and charge for) specific services, so it is in your best interest to perform due diligence when making your selection. Pricing also varies widely among QSAs, from as little as $4.95 per month to several thousand annually. We encourage our merchants to work with a QSA that best fits their needs.