PCI Compliant Payment Solutions
Data security standards
CSG Forte PCI-DSS Program
As a business that accepts credit cards and processes transactions over the card association networks, you should be aware that your company is required by the Payment Card Industry to become compliant with the PCI Data Security Standards (PCI-DSS) for your systems and processes.
At CSG Forte, in an effort to offer you the most comprehensive service and to help you protect your business and customers from the possibility of data breach. We have partnered with Aperia solutions to provide a simple path for merchant PCI compliance.
There are three paths to PCI-DSS compliance:
- Self assessment – You may choose to do your own PCI compliance assessment by using the forms located on the PCI Security Standards Council website www.pcisecuritystandards.org;
- Assess and validate PCI-DSS compliance through a third party Qualified Security Assessor(QSA) of your choice, choosing from the list provided on the PCI Security Standards Council website, then provide a copy of your Attestation of Compliance and Scan (if applicable) to CSG Forte either by email to [email protected].
- Enroll in CSG Forte’s PCI-DSS Compliance Program – In an effort to make becoming PCI-DSS compliant as easy as possible, CSG Forte has partnered with both a Primary and Secondary PCI Vendor to provide easy-to-use, low-cost tools to help our Merchants with the process of validating compliance. Our PCI Vendors are both an Approved Scanning Vendor (ASV) and a Qualified Security Assessor (QSA) for the card associations. As part of our program, all participating merchants receive Breach Insurance and remediation service, as part of your low monthly fee.
The monthly fee of the CSG Forte PCI Compliance Program is $7.99 and will be included on your regular monthly invoice. The fee for the program includes online instruction and assistance with registration and completion of the PCI online questionnaire (which must be validated yearly), individualized response for any questions you have in completing the questionnaire, notification of PCI compliant status and ongoing monthly vulnerability scans of your systems. Merchants who have not validated PCI compliance will be charged a PCI Non-Compliance fee of $29.99 per month until a PCI compliant status is achieved.
If you are interested in taking advantage of CSG Forte’s PCI-DSS Program, please click on the following link to complete the Aperia Enrollment Form, or contact our Customer Service, Monday – Friday 7AM to 7 PM at 866.290.5400 (Option 2) or email [email protected].
For more information related to how a security breach can affect you click here.
Frequently Asked Questions
- What is PCI?
- Does everyone have to become PCI Compliant?
- What do I need to do to become PCI compliant?
- What will happen if I don’t do anything?
- I’ve never heard of PCI, why am I being asked to do this now?
- How long will the compliance process take?
- How long does certification last?
- How do I know what version of the Self Assessment questionnaire I should fill out?
- What is cardholder data environment?
- Why do merchants store cardholder data?
- What is a vulnerability scan?
- What is the difference between a Qualified Security Assessor and an Approved Scanning Vendor?
- What is scoping?
- How can outsourcing help?
- I don’t store cardholder data, so PCI shouldn’t apply to me.
- What if I only process a handful of transactions per week, month, year?
- I’m using Tokenization and end-to-end encryption. Why do I need to go through this?
- Another acquirer says that I don’t have to do this until a later date?
- Do I have to use CSG Forte’s PCI vendor?
What is PCI?
PCI is all about protecting card holder data. Prior to 2006, all of the major card brands (Visa, Mastercard, Discover, American Express and JCB) each had their own security requirements. In 2006, they decided there needed to be consistency in security requirements across the playing field. As a result, they created a group called the PCI Security Standards Council. The Council was tasked with creating a single, system-wide standard that would apply to all merchants, members and service providers globally.
The Council created a set of standards called the Payment Card Industry’s Data Security Standards (PCI-DSS). The PCI-DSS states that PCI Data Security Requirements apply to all members, merchants and service providers that store, process or transmit cardholder data.
Does everyone have to become PCI Compliant?
Every merchant who processes, stores or transmits cardholder data is subject to PCI and must demonstrate compliance. This is a world-wide initiative.
What do I need to do to become PCI Compliant?
As a merchant, you have three different options for becoming compliant. You may review these options at the top of the page. However you choose to become compliant, the process entails three steps:
1. Successfully complete a Self Assessment Questionnaire (SAQ)
2. Complete an Attestation of Compliance (AOC).
3. Complete/arrange Quarterly Network Scans (if applicable)
If you do not become compliant via one of the methods suggested and complete these steps, please note that the monthly non-compliance fee of $29.99 will remain on your merchant account. If you have already validated, please provide your SAQ and AOC, as well as proof of passing scan, if applicable, to [email protected] or fax the document to (469) 342-8010.
At any point, you can reach out to Customer Service to discuss your choices. Our staff is well-versed in the available options and can answer any additional questions about getting started.
What will happen if I don’t do anything?
The PCI Security Standards Council encourages all businesses that store, process or transmit payment account data to comply with the PCI-DSS. This can help reduce the brand and financial risks associated with account payment data compromises. The council does not manage compliance programs, nor do they impose any consequences for non-compliance. However, individual payment brands may have their own compliance initiatives. These may include financial or operational consequences to certain businesses that are not compliant. The payment brands may, at their discretion, fine an acquiring bank anywhere from $5,000 to $100,000 per month for PCI compliance violations.
Most banks will pass this fine along until it reaches the merchant. The banks are also likely to terminate your relationship or increase transaction fees. Penalties are not openly discussed or widely publicized, but they can be truly catastrophic to a small business.
I’ve never heard of PCI, why am I being asked to do this now?
Especially for smaller organizations, this may seem like a lot of effort and be quite confusing. However, the standard provides an actionable framework for developing robust account data security processes, including preventing, detecting and reacting to security incidents. To reduce the risk of compromise and to mitigate any impact should it occur, it is imperative that all entities storing, processing or transmitting cardholder data be compliant. Compliance with data security standards can bring major benefits to businesses of all sizes. Failure to comply can have serious and long-term negative consequences.
You’ve worked hard to build your business. Secure both your success and your customers’ payment card data. Your customers depend on your to keep their information safe. Repay their trust with compliance to the PCI Security Standards.
How long will the compliance process take?
The overall length of the process can vary. It depends on how soon an organization can resolve their non-compliance issues, the type of resolution required, and the complexity and size of the project.
How long does certification last?
Certification is good for 12 months as long as there are no major changes in the network.
How do I know what version of the Self Assessment Questionnaire I should fill out?
There are eight versions of the SAQ. We recommend that a merchant go through the process to determine for certain which version is most appropriate for their business and cardholder data environment.
SAQ A
Card-not-present merchants (e-commerce or mail/telephone-order), that have fully outsourced all cardholder data functions to PCI-DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
Not applicable to face-to-face channels.
SAQ A-EP
E-commerce merchants who outsource all payment processing to PCI-DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No storage, processing, or transmission of cardholder data on merchant’s systems or premises.
Applicable only to e-commerce channels.
SAQ B
Merchants using only:
1. Imprint machines with no electronic cardholder data storage, and/or
2. Standalone, dial-out terminals with no electronic cardholder data storage.
Not applicable to e-commerce channels.
SAQ B-IP
Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor with no electronic cardholder data storage.
Not applicable to e-commerce channels.
SAQ C-VT
Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based, virtual payment terminal solution that is provided and hosted by a PCI-DSS validated third-party service provider. No electronic cardholder data storage.Not applicable to e-commerce channels.
SAQ C
Merchants with payment application systems connected to the Internet, no electronic cardholder data storage.Not applicable to e-commerce channels.
SAQ P2PE
E Merchants using only hardware payment terminals included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage.
Not applicable to e-commerce merchants.
SAQ D
SAQ D for Merchants: All merchants not included in descriptions for the above SAQ types.
SAQ D for Service Providers: All service providers defined by a payment brand as eligible to complete an SAQ.
What is the cardholder data environment?
The cardholder data environment is an area of a computer system network that possesses cardholder data or sensitive authentication data. It also refers to those systems and segments that directly attach or support cardholder processing, storage or transmission.
Why do merchants store cardholder data?
Merchants store cardholder data for a number of reasons. Often it is helpful for recurring billing, chargebacks and disputes, reporting or software imposition.
What is a vulnerability scan?
A vulnerability scan is a scan conducted by an Approved Scanning Vendor. Scans rank vulnerabilities high, medium, or low and prioritize them for patching and remediation.
What is an Approved Scanning Vendor?
All PCI scans must be conducted by a third party compliant network security scanning vendor. A list of Approved Scanning Vendors (or ASV’s) can be found at www.pcisecuritystandards.org. ASV’s will conduct scans in accordance with the defined procedures, which dictate that your customer environment cannot be penetrated, altered or impacted during the scan.
What is the difference between a Qualified Security Assessor and an Approved Scanning Vendor?
Qualified Security Assessors (QSA) are authorized to perform annual audits for merchants and service providers to document compliance with PCI-DSS. Approved Scanning Vendors (ASV) are authorized to perform quarterly scans to show compliance with the PCI Data Security Standard. Several qualified security assessors incorporate approved scanning vendors into their solution.
What is scoping?
Scoping is the process of specifying exactly what is tested for compliance. It limits the PCI assessment to security technology and processes affecting the security of cardholder data. Merchants can leverage network segmentation to effectively isolate systems that store, process and transmit cardholder data from the rest of the network. Controls are only required for the affected segments.
How can outsourcing help?
You can choose to outsource some or all of your payment processing to a service provider or software application vendor. When you outsource processing to a service provider you will use their system; when you outsource to an application vendor you will host their software on your own system. Outsourcing the storage, processing or transmission of cardholder data may remove some or all of the scope from an organization as it can lift part of the compliance burden.
I don’t store cardholder data, so PCI shouldn’t apply to me.
Just because a merchant doesn’t store cardholder data doesn’t mean it cannot be stolen. Hackers now install malicious software that monitors credit card information as it is manually key-entered or swiped. If you use a virtual terminal solution, payment application, integrated POS system or are an eCommerce merchant, there is a brief moment during transmittance when card data is not encrypted. Hackers will try to steal stored credit card data by exploiting that moment of weakness. 75% of breaches in 2011 occurred not from storing, but during the transmission of cardholder data. Broadband connections can increase this risk.
What if I only process a handful of transactions per week, month, year?
What if I only process a handful of transactions per week, month, year?
96% of all breaches occur within small businesses. On average, it takes almost six full months before fraud is detected. In one instance, a hacker wasn’t found until four years later. In that time, a merchant processing only ten transactions a week could be exploited up to 2,080 transactions over a four year period. Cybercriminals will hunt smaller, easier targets that provide them with a steady stream of data to compromise.
I’m using Tokenization and end-to-end encryption. Why do I need to go through this?
Tokenization and end-to-end (point-to-point) encryption are great technologies for helping to reduce the number of requirements during the compliance process. However, you still need to go through the complete compliance process to avoid penalties for non-compliance.
Another acquirer says that I don’t have to do this until a later date?
Acquirers are allowed to set their own deadlines within reason, so they will vary from acquirer to acquirer. CSG Forte’s acquirers are cracking down on merchant PCI Compliance; therefore, we are required to follow their guidelines and requirements
Do I have to use CSG Forte’s PCI Vendor?
Do I have to use CSG Forte’s PCI Vendor?
No. We reviewed over a dozen QSA’s and determined that the PCI Vendors we have partnered with are best suited to our merchant base.
There are currently over 260 QSAs worldwide that provide similar services. See the full list here: PCI Security Standards
Not all QSAs perform the exact same services. Many offer “bells and whistles” so it is in your best interest to perform due diligence when making your selection. Pricing also varies widely among QSAs, from as little as $4.95 per month to several thousands of dollars annually. We encourage our merchants to work with a QSA that best fits their needs.