PCI Policy & Procedures

All card processing merchants, regardless of their processing provider, are required to maintain compliance with the Payment Card Industry Data Security Standards (PCI DSS). The PCI DSS details security requirements for members, merchants and service providers that store, process or transmit cardholder data. This means that the processes and applications by which your business processes and handles credit and debit card data must abide by the standards set forth by the PCI Security Standards Council. Visit www.pcisecuritystandards.org for more information. These standards were established by the major credit card associations. To demonstrate compliance with the PCI DSS, merchants are required to submit an attestation of compliance annually.

It is YOUR responsibility, as a merchant accepting credit and debit card payments, to safeguard customer card data by becoming PCI compliant. In order to comply with the card brands and avoid potentially stiff fines, Streamline Payments encourages all merchants meet PCI DSS requirements as soon as possible. For more information about your PCI compliance, visit www.controlscan.com/streamlinepayments or call 800-370-9180. Streamline Payments has partnered with ControlScan to assist you in understanding and meeting the requirements needed to validate and maintain PCI compliance. ControlScan’s PCI 1-2-3 Compliance Program is an easy-to-use solution that provides detailed support and easy access to:

  • ControlScan’s PCI 1-2-3 Self-Assessment Questionnaire
  • ControlScan’s PCI 1-2-3 Policy Builder
  • ControlScan’s PCI 1-2-3 Security Awareness Training
  • ControlScan’s PCI 1-2-3 Scanning (if applicable)
FAQs

Q. What is PCI DSS compliance?
A. Payment Card Industry Data Security Standard – or PCI DSS – is a set of parameters established by the card industry that is designed to ensure that a secure working environment exists for all merchants that process, store and transmit credit, debit and pre-paid card information. All merchants that accept payment cards must follow these requirements to be considered compliant.

Q. What is Streamline Payment’s PCI Program?
A. Acquirers like Streamline Payments are responsible for making sure their merchants are PCI Complaint. Streamline Payment’s program is an easy way for merchants to find out if they are PCI compliant and, if they are not, to make the necessary adjustments to their business to reach compliance. Streamline Payments has partnered with Control Scan, a leading provider of PCI compliance services, to assist merchants with this process.

Q. How do I find out if my business is compliant?
A. The process begins when you receive the email from Control Scan within the first month after your account is approved. You will start by visiting www.controlscan.com/streamlinepayments. Your merchant ID is your user name, and your initial password is welcome123 (you will be prompted to create a new password after your first login.) You will then be directed to fill out a Self-Assessment Questionnaire with information about your business. At that point, Control Scan will determine what steps you need to take to become compliant.

Q. What is the Self-Assessment Questionnaire?
A. The Self-Assessment Questionnaire (SAQ) is an intuitive, easy to use tool that Control Scan uses to collect information about your business practices and payment processing equipment. This information will determine the specific steps to need to take to make your business PCI compliant. The SAQ was designed for computer users at any skill level and includes expert help text and real-life examples to guide you. The SAQ must be completed annually, and some merchants need to complete a quarterly network security scan.

Q. Why is it important for merchants to become compliant?
A. PCI compliance is a key factor in the industry’s attempt to stop data security breaches. Non compliant merchants that experience security beaches are subject to:
• Mandatory forensic audit (even if breach is only suspected)
• Victim notification, card reissuance and chargeback costs
• Data loss and operations disruption
• Damage to reputation and brand
• Possible business closure
Fines for non-compliant merchants that experience a breach can be as high as $500,000 per occurrence. The future of your business may depend on compliance.

Q. I am a very small merchant with fewer than 20,000 transactions annually. Do I need to be compliant?
A. Yes. All merchants, at all levels of size are now required to be PCI Compliant. At a recent industry summit, experts reported that hackers are now targeting small and mid size businesses, believing that they are easier targets. In fact, industry reports say that approximately 85 percent of security breaches occur in small businesses. While ever merchant may not need to follow every requirement, all merchants must determine what their requirements are and take steps to ensure their businesses are compliant.

Q. I don’t store magnetic strip data. SO I still need to be complaint?
A. Yes! While merchants that store magnetic strip data are particularly vulnerable to security concerns, any merchant can experience a data breach. Some have missing or outdated security patches, vendor-supplied default settings and passwords, poor business practices or simple employee dishonesty or theft. Any or all of these conditions can lead to a security breach, even without stored magnetic strip data. Following the PCI DSS requirements for compliance greatly reduces the risk to your business.

Q. What is a network security scan, and do I need one?
A. The quarterly network security scan is part of the PCI compliance requirements for merchants that electronically store cardholder data after authorization, or for those who have any processing systems with internet connectivity. If this is true for your business – this will be determined when you take the Self-Assessment Questionnaire at www.controlscan.com/streamlinepayments – you’ll need to have a passing scna through ControlScan once per quarter (approximately every 90 days). This scan will include your web, mail, application and domain name servers, as well as any virtual hosts or filtering devices. The scan will look for any security vulnerabilities in these areas, and ControlScan will provide you with guidance on how to make the nexessary changes. You don’t need any additional software for the scan, but you will need to set your IPS to not block the scan.

Q. If I do have a security breach, I am not sure I can afford the thousands of dollars in industry fines and expenses. Is there anything else I can do?
A. Yes. Streamline Payment’s PCI Program is an innovative product designed specifically to help merchants meet the potentially devastating expenses that result from a suspected or actual breach of customer’s payment data. The program offers up to $50,000 of coverage against expenses if a security breach occurs. For more information about this program, please contact your sales representative.