The PCI DSS is the Payment Card Industry Data Security Standard--a set of standards put in place by the Payment Card Industry Security Standards Council (PCI SSC) to ensure a secure environment within all companies that process store and transmit said data, and all of these companies have to comply with those standards. Put simply it’s a set of standards put in place to ensure credit card security and safety within businesses.
Does my business have to comply?
Your merchant processing company (or bank) may require that you comply. They may also have signed you up with a PCI compliance company, to monitor your compliance.
But, is it a LAW?
No, it’s not a law. But if you are not compliant with the PCI DSS, you may be subject to fines, forensic audits, card replacement costs, brand damage, the list goes on. Aside from the costs to your business as a result of not complying, you may also want to consider the security of your customers. You want your customers’ sensitive credit card information safe from potential security breaches and vulnerabilities.
If it’s not a law, then who enforces it? Is it the PCI Council?
No, it’s not the PCI Council. The payment brands (Visa, MasterCard, American Express, Discover, JCB) and acquirers are the ones responsible for enforcing compliance. Your merchant processing company may also require your compliance as a condition of continuing to provide credit card processing to your business.
Is AllProWebTools PCI Compliant?
AllProWebTools employs continual vulnerability scanning, which constantly looks for flaws within our product and infrastructure and validates current security, hardening best practices. As PCI standards continue to evolve, AllProWebTools strives to keep pace with the latest recommendations for PCI Compliance.
AllProWebTools has regular PCI vulnerability scans run by two separate 3rd party companies. Each quarter, certifications of compliance are posted here: https://www.allprowebtools.com/PCI-Compliance-Certificates/.
So why am I getting a notice that my AllProWebTools website is not compliant?
There are 3 possible reasons, you will want to read the notice closely to determine which of these applies:
- It is time to update your SAQ
- A vulnerability scan found a critical problem
- A vulnerability scan found a recommendation or needs additional clarification
What’s the difference between the SAQ questionnaire and actual “vulnerability scanning?”
The SAQ is a Self Assessment Questionnaire, and it’s simply a form you have to fill out to validate your compliance with the PCI DSS. Every business has to complete this form.
Vulnerability scanning is a process using an automated tool that remotely views web applications and networks to determine and find vulnerabilities within systems.
Note: If you fail a vulnerability scan, you will be notified and you will have time to correct the issue. You should forward the notification on to AllProWebTools to be addressed.
Tell me more about the SAQ.
First of all you have to select your specific SAQ form, based on several different factors. A useful chart can be found here, under Question 5: https://www.pcicomplianceguide.org/pci-faqs-2/#23. Once you’ve figured out which questionnaire you need, fill it out. It’s going to ask questions that only you as a business owner can answer, some that don’t have anything to do with your website. (For example whether or not you write credit card numbers on paper, and if you do what you do with the piece of paper after you’re done with it.) AllProWebTools cannot fill out the SAQ for you because only you know the answers to those questions.
What is a PCI Compliance scan?
A PCI Compliance Scan is run by a company to help determine whether your business is compliant with the PCI DSS. Most PCI compliance companies will:
- help make sure you are compliant
- help you with finding the correct SAQ form
- will run a vulnerability scan to make sure your website is compliant with the PCI DSS.
Note: Make sure you are using an APV (Approved Scanning Vendor) for your PCI Compliance and vulnerability scans. A list of APV’s can be found here: https:// www.pcisecuritystandards.org/assessors_and_solutions/approved_scanning_vendors. These companies are not endorsed by the PCI DSS, but they do meet all PCI SSC requirements.
Becoming PCI Compliant can be a significant time investment. The time invested is well worth it to avoid needless risk and protect your business, your customer’s data, and your reputation.