Security
FIS Merchant Services is proactively helping our merchants protect their sensitive and confidential data by requiring them to become PCI compliant. To accomplish this, we've partnered with Trustwave to develop a program for merchants to ensure they are following the Payment Card Industry Data Security Standards (PCI DSS). In addition, all of the terminals and solutions FIS sells are PCI compliant.
What is PCI compliance?
PCI compliance is abiding by the Payment Card Industry Data Security Standards (PCI DSS) in order to protect your cardholder data.
Why should I become PCI compliant?
Protecting your valuable cardholder data is critical to your customers - and your business. By meeting the security requirements associated with becoming PCI compliant, you help protect your customer data and keep it out of the hands of criminals. In addition, PCI compliance can also help you avoid severe fines.
Does PCI compliance apply to me?
The Payment Card Industry Data Security Standards (PCI DSS) apply to every organization that processes credit or debit card information, including merchants and third-party service providers that store, process, or transmit credit card/debit card data. If your business matches the description above, PCI Compliance is a requirement.
What are the penalties and fines associated with a security breach?
Per the card associations, the penalties and fines for failure to comply with requirements or to rectify a security issue can be severe. These fines range from $10,000 to $500,000 per incident. If a security breach occurs in your environment, you will be liable for the cost of the required forensic investigations, fraudulent purchases, and the cost of re-issuing cards. You may also lose your credit card acceptance privileges.
Do all businesses have the same requirements for validating their compliance?
The PCI Security Standards Council has developed levels to help categorize merchants and determine what actions are required to validate compliance. This is based on acceptance channel and transaction volume:
| Level | Merchant Classification Criteria | Compliance Validation Actions |
| 1 |
Visa & Mastercard: Any merchant -regardless of acceptance channel that:
|
Annual Onsite Audit Quarterly Vulnerability Scanning |
| 2 | Visa & Mastercard: Any merchant that processes 1 million to 6 million Visa or MasterCard transactions, regardless of acceptance channel |
Annual PCI Self-Assessment Questionnaire Quarterly Network Scan |
| 3 | Visa & Mastercard: Any merchant that processes 20,000 to 1 million Visa or MasterCard e-Commerce transactions |
Annual PCI Self-Assessment Questionnaire Quarterly Network Scan |
| 4 | Visa & Mastercard: Any merchant that processes fewer than 20,000 Visa or MasterCard e-commerce transactions or processes fewer than 1 million Visa or MasterCard transactions, regardless of acceptance channel |
Annual PCI Self-Assessment Questionnaire Quarterly Network Scan |
What can I do to make sure my business is PCI compliant?
1. Complete the TrustKeep Risk Profiler
We've arranged for a FREE risk assessment for all our merchants through the TrustKeeper Risk Profiler tool. This tool will help determine if the cardholder data you store, process, or transmit is vulnerable to unauthorized access. The results of your assessment will provide the action steps you need to take to become compliant with the PCI DSS.
Using the TrustKeeper Risk Profiler:
Step One: Simply visit http://www.metavantemerchantservices.com and click on Trustwave's Risk Profiler.
Step Two: Answer a brief questionnaire that will help determine how your handle your customers' credit card data within your network.
Step Three: Depending on your risk level, you will be guided to the necessary steps to comply with the PCI DSS using the TrustKeeper compliance portal. Simply follow the instructions you receive after completing the brief questionnaire.
2. Fill out the PCI Self-Assessment Questionnaire.
The PCI Self-Assessment Questionnaire is a list of questions used to assess your compliance with the requirements of the PCI DSS. There are four versions of the questionnaire to account for different merchant environments.
- SAQ A: Addresses requirements applicable to merchants who have outsourced all cardholder data storage, processing and transmission.
- SAQ B: Created to address requirements pertinent to merchants who process cardholder data via imprint machines or standalone dial-up terminals only.
- SAQ C: Constructed to focus on requirements applicable to merchants whose payment applications systems are connected to the Internet.
- SAQ D: Designed to address requirements relevant to all service providers defined by a payment brand as eligible to complete an SAQ and those merchants who do not fall under the types addressed by SAQ A, B or C.
For more information on the questionnaire, and to determine which one is right for your business, please visit: https://www.pcisecuritystandards.org/security_standards/index.php
3. Have a Network Vulnerability Scan.
A vulnerability scan is an automated, non-intrusive scan that assesses your network and Web applications from the Internet (on the external-facing IPs). The scan will identify any vulnerabilities or gaps that may allow an unauthorized or malicious user to gain access to your network and potentially compromise cardholder data. The scans provided by Trustwave will not require you to install any software on their systems, and no denial-of-service attacks will be performed.
Who can I contact regarding questions about PCI Compliance?
FIS Merchant Services is ready to answer your questions about PCI Compliance. Please feel free to contact us anytime at 1.800. 552.5828.