PCI FAQ

What is PCI?

PCI DSS is the acronym of the Payment Card Industry Data Security Standard. In December of 2004 the payment card industry including Visa, Mastercard, Discover and American Express agreed upon a unified security standard that meets the requirements of each companies individual security standard.

How does the SafeMerchant Payment Page help me comply with PCI?

See the Visa Cisp FAQ. Question #3. . The environment that Stores, Processes or Transmits Credit Card data must comply with the PCI Standard.

How do I know SafeMerchant is Safe?

PCI only represents a Data Security Standard. The only way anyone is protected is to ensure that the PCI practices are being followed. SafeMerchant goes above and beyond the requirements of a Level 1 Payment Gateway by hiring Third Party on-site audits from Multiple vendors on a monthly basis as well as the required yearly onsite audits. We also adhere to our own internal audits as agreed to in our PCI Enterprise Security Policy.

What do I do if I believe I have been compromised?

If you are a customer of SafeMerchant you should notify our Computer Security Intrusion Response Team via https://safemerchant.com/csirt . We will act in your behalf to determine if credit card or other Personnally Identifiable information has been compromised. If so, we will assist you in reporting the incident. If you are not a customer of SafeMerchant contact Visa immediately. More information can be obtained via Visa's website It is your responsibility as a Merchant to take action immediately. The fines for knowingly witholding information when a compromise has occured start a $100,000.00.

I'm using a Payment page from another vendor that claims PCI compliance. Am I still protected?

Even though you are using a payment page you should make sure that you have a contract with your vendor that specifically addresses PCI compliance. This assures that everyone is taking the appropriate measures to protect cardholder information.

I am currently using an API integration method from another vendor. I'm encrypting the information and sending it over SSL, It has to be secure! Doesn't it?

Unfortunatly, Most if not all API's are do not meet PCI standards unless your entire Web infrastructure meets PCI Standards. When you utilize an API to authorize credit cards you are personally collecting and transmiting credit card information from your website. 9 times out of ten cardholder information is being stored as well. Refer to FAQ question #1 above. SafeMerchant offers the DirectAuth API to merchants who have taken the steps to become PCI compliant themselves, this assures that cardholder information is always protected.

I've seen payment pages before and I don't like them. They take you to a different url and they are ugly. Do I have to use a payment page to be PCI Compliant.

The answer is NO you do not. If you are willing to take the steps outlined in the PCI standard including significant hardware and software modifications, you can meet the PCI standards and still use an API integration method.

Here are a just a few of the things you will need to address to become compliant.

Your database will need to be maintained on a separate machine from your Website.
You will need to make sure that cardholder information is being encrypted properly.
You will need to author an Enterprise Security Policy that is designed to protect coardholder information.
Each componant of your website will need to separated. You cannot have your shopping cart on the same server as your email. If you are hosting a blog or an online support desk on the same server or web hosting account they will need to be segragated.
You will need to fill out a PCI self assessment questionaire every year and pass by 100%. You cannot claim PCI compliance just because your API payment gateway vendor is PCI compliant. The self assessment document can be found here.
You will need to purchase an account with an approved vulnerability Scan Vendor. A list of approved scan vendors can be found here: https://sdp.mastercardintl.com/vendors/vendor_list.shtml
Your company will need to conduct background checks on every employee that has access to or accepts credit card information or web infrastructure.
Your shopping cart process code will need to be hardened to address cross site scripting, sql injection an other application level vulnerabilites.
There are many other provisions that have to be met to be considered compliant if you choose to do it yourself. It usually takes between 6 months and 1 year to become compliant. Feel free to contact us if you would like to become PCI compliant. We will be happy to offer advice and to get you started in the right direction.s will soon demand PCI security in the very near future. Merchants that adopt PCI now will have a competitive advantage over those that do not promote PCI Data Security. You can review the PCI Best Practices by visiting this link.

Is the SafeMerchant Payment Gateway compatible with my shopping cart software?

The anwser is Yes. Safemerchant is compatible with any programming language including perl, php, java, asp, .NET . If you are using a popular shopping cart we will either provide you with a compatible payment module or we will write one for you at no charge. We also enjoy assisting our customers with our products. In many cases we can integrate our payment page into your checkout process for no additional charge.

What are the risks of non-compliance?

Check out our PCI Risk Calculator https://safemerchant.com/risk

I do not know the difference between an API or a payment gateway how can I tell how my website is set up now?

You can contact us directly se we can help you determine how your website is currently set up or you can review our Merchant Security Assessment that explains the difference in simple terms.

Can a scan vendor make my site PCI compliant?

Vulnerability Scanning is a requirement of PCI Compliance but it is not the only requirement. Your bank may require that your website is scanned by a qualified Scan Vendor but technically if you utilise the SafeMerchant Payment Gateway your site will meet PCI Compliance because all of the requirements are taken care of for you. The list of Qualified PCI Compliant vendors including SafeMerchant can be found here

How can I find out whether or not I need SafeMerchant.

The best place to start is to take 4 or 5 minutes to fill out our Merchant Security Assessment so that we can help you make a few minor changes to your business practices that could save you tens of thousands of dollars in the event of a security breach. It is also very informative.

What else can I do to protect sensitive information including cardholder data:

Here is a link to a poster we found on visa.com. Check it out here.