PCI Compliance
PCI Digital Security Standard (DDS) Compliance Requirement
The payment brands (American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc.) have mandated that all merchants who store, transmit, or process cardholder information must maintain compliance with the PCI DSS. We, as your service provider, take the protection of customer and payment account data very seriously. We understand the risks and financial costs that a compromise can pose to your business. In support of this important mandate we will begin requiring all of our merchants to validate their PC DSS compliance status with us. However, we want to make the process as convenient as possible for you.
Our Compliance Assistance Service Program
Serve First Solutions, Inc. has established a relationship with SecurityMetrics, a leading provider of PCI audit and scan services. They are certified by the PCI Security Council as a Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV). Enrolling with SecurityMetrics will provide you with access to trained professionals to help your business comply with the PCI DSS. They will work with you to conduct an analysis of your account, assist with any necessary remediation efforts and help you certify your compliance. The service will guide you through the completion of your PCI DSS Self-Assessment Questionnaire (SAQ) and include (if applicable) the required quarterly scans of your processing systems. To learn more about SecurityMetrics and to initiate an analysis of your account, please see instructions below.
Frequently Asked Questions
- What is PCI DSS?
-
The Payment Card Industry (PCI) Data Security Standard (DSS) is a set of requirements for enhancing account data security. These standards were developed by the PCI Security Standards Council, which was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. to facilitate industry-wide adoption of consistent data security measures on a global basis. The standard aims to increase awareness and promote best practices in handling of sensitive information as a means to minimizing identity theft fraudulent transactions. - Is PCI DSS new?
-
No. The framework of the PCI data security standards has existed in different forms for some time now and continues to evolve. You may be more familiar with the payment brands’ programs that promote adoption of the PCI DSS
- MasterCard: Site Data Protection (SDP) Program
- Visa: Cardholder Information Security Program (CISP)
- Discover Network: Discover Information Security & Compliance (DISC)
- American Express: Data Security Operating Policy
- Do I need to be PCI compliant if I only process a few credit cards a month?
-
Yes, all merchants, whether small or large, are required to be PCI compliant. The payment brands have collectively mandated PCI DSS compliance for any and all organizations that process, store, or transmit payment cardholder data. Inherent in having a merchant account is the ability to handle cardholder data.
- I already use a “PCI compliant” terminal/gateway. Doesn’t that mean I am PCI compliant?
-
No, use of a PCI compliant payment application is one aspect of the many PCI DSS requirements, which cover handling of sensitive data. Currently, the PCI DSS lists twelve requirements. These requirements are organized around the following principles:
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
- Can I choose not to certify for PCI compliance?
-
If you choose not to complete the self-assessment questionnaire (and applicable network scans) you may overlook certain data security practices that minimize your risk of a security breach. In the event that your business is compromised, you may be subject to substantial fines per payment brand. These fines would be in addition to the expenses and fraudulent transactions resulting from the breach.
