PCI-DSS Frequently Asked Questions (FAQs)
How long does the SAQ take?
The average business completes the SAQ in under 30 minutes. Using the ExpertPCITM system has shortened the process due to the research and the ability to pre-answer many questions based on how you process credit card transactions.
Keep in mind – the questionnaire tracks where you are in the process so you can leave at any time, log back in and take up where you left off.
Is compliance a one‐time requirement?
No. Compliance is an on‐going requirement. The card associations require all businesses that accept credit cards to remain in compliance at all times. All businesses accepting credit cards as a form of payment must complete a SAQ:
- Annually at a minimum
- Anytime the method of how credit cards are processed changes.
Scanning, if required, must occur at least quarterly.
What if a merchant does not want to participate in this program?
PCI compliance is not optional. All businesses accepting credit cards as payment are required to comply with PCI‐DSS.
What will getPCICertified do to help me?
getPCICertified will assist you in completing the Security Assessment Questionnaire (SAQ) and quarterly scan (if applicable). Phone, email and live support is readily available to all getPCICertified clients.
How do I register to begin the SAQ or SAQ/Scan process with getPCICertified?
Simply go HERE, complete the form, pay and begin the process.
What if my credit card processor either adds a PCI fee to my bill or tells me I need to complete their compliance?
This is simply false. If you supply your processor with valid proof of compliance, they absolutely must accept it and remove the fee from your bill. If they don't, simply contact us and we'll advocate on your behalf to the PCI-DSS Security Counsel.
What is "PCI-DSS"?
PCI DSS stands for ‘Payment Card Industry Data Security Standard’. This is a technical and broad-ranging set of security requirements created by the Payment Card Industry specifying what merchants need to do to protect customer payment information. The PCI Council requires that merchants meet a set of security requirements if their business accepts, transmits, or processes customer payment cards (credit or debit cards). Merchants that do not comply with these requirements can be penalized in a number of ways, up to and including having their card processing privileges revoked, leaving them unable to accept customer payment cards.
Why am I being made to do this?
PCI was created and is enforced by the Payment Brands (Visa, MasterCard, Discover, American Express, etc). View the security standard not only as a way to insure that your business protects your customer's payment data, but as a way for all consumers (yourself included) to have the security of knowing that their card data ia handled safely where ever they choose to shop.
What is meant by "Compliance"?
Compliance means meeting all of the requirements laid out in the Payment Card Industry Data Security Standard. The requirements of compliance are the same for ALL merchants, large or small. However, smaller merchants typically avoid many of the compliance problems that larger organizations face, because their systems and networks are usually simpler.
I have a PA-DSS POS, why do I need to do anything else?
Using a PA-DSS certified Point of Sale device is a good idea, but it does NOT make you compliant. it just means that you’ve avoided one way of failing. You still need to complete an SAQ and fix any other problems identified through the SAQ.
Why is compliance important?
Non-compliance makes you vulnerable to fraudulent activity and data. If your customer's card information is compromised, the reputation of your business may be seriously damaged and you may incur significant expenses.
Why should I become compliant?
Besides being the responsible thing to do for your customers, the credit card associations have provided incentives to compel merchants to become and maintain compliance. The incentives include "safe harbor" from certain penalties and fines if a merchant is compliant at the time of breach.
Without compliance, if a merchant is breached and has credit card information stolen, depending on the size of the breach, PCI related fines can be as high as $500,000 per incident. In severe cases, merchants can even be given the ultimate penalty which prevents the merchant from accepting credit cards.
How do I know if my business is at risk for a security breach?
As card acceptance technology and techniques have evolved, payment card fraud has become more sophisticated. Every business that stores or transmits cardholder account data is a potential target. getPCICertified helps ensure that merchant's systems are secure and PCI compliant.
Does having PCI insurance supersede the need for the getPCICertified SAQ or scanning?
No. The PCI Insurance provides merchants with up to $50,000.00 in “damages” if a site is compromised. It does not mean that a merchant is automatically compliant because they are a policy holder. Proof of compliance is an industry‐wide requirement and will need to be performed by all merchants accepting electronic payments. The insurance policy will only be in effect if in fact your business is also compliant with the PCI-DSS standard andhas annually completed a SAQ.
If I get my equipment from a processor, how could I be non‐compliant?
Compliance encompasses more than just one thing. All entities that transmit, process or store payment card data must be compliant with PCI‐DSS. PCI‐DSS compliance is not limited to payment processing equipment. Compliance also refers to merchant’s in‐house procedures and how sensitive data is stored and handled.
If I have a dial terminal, perform the necessary SAQ and am deemed compliant, what will happen if I upgrade my terminal to a high‐speed POS system?
The change will make your current SAQ invalid for the new scenario. You will need to log back in and change your SAQ. This is an easy process and does not require any additional fees.
How do I schedule a scan?
Most businesses do not require scanning. Upon completing the SAQ, it will determine if you need a scan or not. If you do, obtaining a scan will be included in your remediation. You can then register and pay an additional $199 for your scanning needs.
It is a good idea at this time to schedule scans every 90 days, as required.
Do I receive anything to prove that I’m compliant?
Yes. Once you have successfully completed the compliance program, getPCICertified will issue you a Certificate of Compliance. (Note: All certificates have an expiration date, either annually if you only need a SAQ or quarterly if scanning is required.)
What should I do with the Certificate of Compliance?
If you are an e-commerce merchant, you can display the compliance on your site. Otherwise, it is for their records and can be used as proof of compliance anytime a request is made to your business to verify compliance.
What is this charge?
Our PCI compliance fee is $149.00 annually for access to your SAQ and customization of your PCI policies & proceedures. If scanning is required, you will need to pay an additional $199 for the scanning service. Most businesses do not require scanning but completion of the SAQ will determine whether or not your business requires the additional scanning service.
I have several locations. I shouldn’t have to pay the full rate for each location. What can you do?
If each location shares the same corporate owner and Federal Tax ID, we can look at reducing the fee on a case‐by‐case basis.
Will getPCICertified refund my fees if I decide not to complete my SAQ and complaince requirements?
getPCICertified stresses the importance PCI certification - this is an industry‐wide requirement. We do not offer a refund policy after initial registration.
My credit card processor has been charging me a non-compliance fee. Can getPCICertified waive the fees charged by my processor?
No, getPCICertified can not waive the PCI compliance fees charged by your credit card processor. Once you have completed your compliance with getPCICertified, present the certification of compliance to your credit card processor. They should cease charging you once they have valid proof of your compliance.
Do any other applications use your PCI Compliance?
Yes quite a few actually. The latest comapny to complete compliance is LayawayPro an online layaway software for retailers and consumers.
