News & Events:
Receipt Truncation
IMPORTANT REMINDER: If your terminal is not compliant with applicable federal and state law as well as card association rules, your business may be subject to significant fines or other penalties. The receipt you provide to a customer may not include the customer's card expiration date or any more than the last four digits of the customer's card number. In addition, some states, as well as Visa and MasterCard have similar laws and requirements that apply to the receipt your business retains. If you believe that your terminal needs to be upgraded to comply with these requirements, please contact customer service at 1-866-649-4105.
|
Security Metrics PCI DSS Certified Vendor :
Getting started
To begin your PCI compliance validation, contact SecurityMetrics at 800.557.4797 or visit their website at www.securitymetrics.com and select the “enroll now” link.
|
| What are the deadlines for complying with PCI DSS? |
| Compliance is mandated by the payment card brands and not by the PCI Security Standards Council. However, for most merchants, the deadlines for validating compliance with the PCI DSS have already passed. You should check with your acquirer and/or merchant bank to check if any specific deadlines apply to you, based on merchant transaction volume (level) as determined by the card payment brands. All entities that transmit, process or store payment card data must be compliant with PCI DSS. |
| I’m a small merchant who has limited payment card transaction volume. Do I need to be compliant with PCI DSS? If so, what is the deadline? |
| All merchants, whether small or large, need to be PCI compliant. The payment brands have collectively adopted PCI DSS as the requirement for organizations that process, store or transmit payment cardholder data. PCI SSC is responsible for managing the security standards while each individual payment brand is responsible for managing and enforcing compliance to these standards. For questions regarding compliance validation requirements and deadlines as well as compliance reporting requirements, we recommend that you contact your acquirer. For more information regarding the PCI security standards and supporting documentation, including the “Navigating the PCI DSS” as well as targeted Self Assessment Questionnaires to assist small and medium merchants, please visit the PCI SSC website at: www.pcisecuritystandards.org. |
| How do I determine if my organization is eligible to complete one of the shorter Self-Assessment Questionnaire (SAQ) versions? |
| The SAQ is a validation tool for merchants and service providers who are not required to undergo an on-site data security assessment per the PCI DSS Security Audit Procedures. Please consult your acquirer and/or payment brand for details regarding PCI DSS validation requirements. The Self-Assessment Questionnaire Instructions and Guidelines (https://www.pcisecuritystandards.org/pdfs/instructions_guidelines_v1-1.pdf) document has been developed to help merchants and service providers understand the PCI Data Security Standard Self-Assessment Questionnaire (SAQ)). The document provides guidance on the following topics: - PCI Data Security Standard Self-Assessment: How it all fits together - PCI Data Security Standard: Related Documents SAQ Overview - Why is compliance with the PCI DSS important? - General Tips and Strategies - Selecting the SAQ That Best Applies to your organization - Guidance for exclusion of certain, specific requirements - How to Complete the Questionnaire |
| Is the Self-Assessment Questionnaire all I need to do to validate compliance with the Payment Card Industry Data Security Standard (PCI DSS)? |
| In accordance with payment brands’ compliance programs, those merchants and service providers who are permitted by the payment brands to self-evaluate their compliance with the PCI DSS may need to complete the following steps: 1. Complete the Self-Assessment Questionnaire according to the instructions in the Self- Assessment Questionnaire Instructions and Guidelines. 2. Complete a clean vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV), and obtain evidence of a passing scan from the ASV. 3. Complete the relevant Attestation of Compliance in its entirety (located in the SAQ). 4. Submit the SAQ, evidence of a passing scan, and the Attestation of Compliance, along with any other requested documentation, to your acquirer. |
| How does PCI DSS apply to individual PCs or workstations? |
| All system components in the network are considered part of the cardholder data environment unless adequate network segmentation is in place that isolates systems that store, process, or transmit cardholder data from those that do not. Without proper network segmentation, the entire network is in scope for the PCI Data Security Standard, and all PCI Data Security Standard requirements apply. QSAs can advise their clients on how to implement network segmentation to reduce PCI DSS scope. Where there are many PCs or workstations in an environment and all PCs do not need access to the cardholder data environment (CDE), the network segmentation should provide access to the CDE for all PCs that need access, and should prohibit access for all other PCs. With such segmentation in place, PCI DSS requirements are relevant to, and should be applied to, only that smaller PC population. Regarding the applicability of each PCI DSS requirement to an individual PC, the QSA should also consider features that are part of the PC’s basic functionality (for example, logging or file integrity monitoring) or are part of existing network controls, and determine whether these features meet the intent of PCI DSS requirements to protect cardholder data stored, processed, or transmitted by these PCs. |
| As a merchant, what SAQ form should we complete? |
| This is the answer: For each SAQ form, the merchant can find a sub-section entitled “Eligibility to Complete SAQ” in the Attestation section www.pcisecuritystandards.org/saq/index.shtml. If the merchant is able to answer yes, to each question on the attestation form, then that particular form would be applicable in terms of validating compliance with the PCI DSS. We also recommend that the merchant contact their acquirer to ensure that they are completing the correct SAQ form. |
| 
PCI DSS Compliance Certification Resource |
|
