PCI Compliance is NOT an option when processing, storing or transmitting your customer credit card payments. *Here is an FAQ to help clear the air:
- Whom does PCI apply to?
- If I only accept credit cards over the phone, does PCI still apply to me?
- Do organizations using third-party processors have to be PCI compliant?
- What are the PCI compliance ‘levels’ and how are they determined?
- What are the penalties for non-compliance?
- What is defined as ‘cardholder data’?
- What is the definition of ‘merchant’?
- What is a payment gateway?
- How often do I have to have a vulnerability scan?
- If I’m running a business from my home, am I a serious target for hackers?
- Is my business at risk?
- Are over-the-phone payment solutions too complicated to use?
Whom does PCI apply to?
PCI applies to ANY organization or merchant, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data.
If I only accept credit cards over the phone, does PCI still apply to me?
Yes. All businesses that store, process or transmit payment cardholder data must be PCI Compliant.
Do organizations using third-party processors have to be PCI compliant?
Yes. By just using a third-party company, does not exclude a company from PCI compliance. It may cut down on their risk exposure and consequently reduce the effort to validate compliance.
What are the PCI compliance ‘levels’ and how are they determined?
All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa transactions. Level One is the highest PCI Compliance level processing over 6M Visa transactions per year.
What are the penalties for non-compliance?
Fines can range from $5,000 to $100,000 per month for PCI compliance violations.
What is defined as ‘cardholder data’?
he PCI SSC defines ‘cardholder data’ as the full Primary Account Number (PAN) or the full PAN along with any of the following:
- Cardholder name
- Expiration date
- Service code
What is the definition of ‘merchant’?
Merchant is defined as any entity that accepts payment cards containing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services.
What is a payment gateway?
Payment Gateways connect a merchant to the bank or processor that is acting as the front-end connection to the Card Brands.
How often do I have to have a vulnerability scan?
Every 90 days.
If I’m running a business from my home, am I a serious target for hackers?
Yes, home users are the most vulnerable.
Is my business at risk?
Essentially any business that has a Merchant ID (MID) is at risk.
Are over-the-phone payment solutions too complicated to use?
Not at all. When your customers call a toll-free number, enter their account information, and make a payment. Some over-the-phone payment systems can even store the customer’s information based on the phone number they are calling from. This means future transactions take less time. Some services can even allow customers to take a picture of their bill, and pay. The payment is then verified, accepted, and immediately applied to your customer’s account. IVR Tech provides customized reporting that allows you to see exactly when your customer paid, the form of payment used, and the results of the transaction.
To setup a free, no-risk, consultation to strategize how to administer our solution, call us now at 800-438-1709.
*FAQ is based on questions and answers provided by the PCI Compliance Guide.
To view the current PCI Data Security Standard documents, click here.