4 minute read
PCI Compliance FAQs
Is your business PCI Compliant? If not, you might be at a higher risk for security breaches and/or subject to fines.
What is PCI DSS Compliance?
The Payment Card Industry Data Security Standard (PCI DSS) encompasses a set of requirements established to ensure that all businesses who process, store, or transmit credit card information maintain a secure transaction environment.
Why is PCI DSS Compliance important?
PCI DSS compliance protects both the business and their customers. Businesses that are not PCI DSS compliant are at greater risk for security breaches and are subject to heavy penalties.
Which credit cards are covered by PCI DSS Compliance?
Credit cards covered include any debit, credit or pre-paid cards branded with the association or brand logos of the five major payment card brands: Visa, MasterCard, American Express, Discover and JCB International. What are the PCI Compliance Levels? Businesses are assigned to a level based on their combined transaction volume including credit, debit, and pre-paid cards over a 12-month period. The four levels (from fewest to most transactions) and their requirements are:
LEVEL 4: Small businesses that process less than 20,000 eCommerce transactions and less than 1 million other transactions annually. Level 4 businesses must complete an annual risk assessment using the appropriate PCI Self-Assessment Questionnaire (SAQ). Quarterly PCI scans may also be required.
LEVEL 3: Mid-sized businesses — those with between 20,000 and 1 million transactions annually fall into this level. Level 3 businesses must complete an annual risk assessment using the appropriate PCI Self-Assessment Questionnaire (SAQ). Quarterly PCI scans may also be required.
LEVEL 2: Level 2 businesses conduct between 1 million and 6 million transactions yearly. Level 2 businesses must complete an annual risk assessment using the appropriate PCI Self-Assessment Questionnaire (SAQ). Quarterly PCI scans may also be required.
LEVEL 1: “Big box” stores and major corporations are Level 1 companies, which are defined as having a minimum of 6 million transactions per year. In addition to an annual internal audit conducted by a qualified PCI auditor, Level 1 companies may also be required to undergo quarterly PCI scans.
What is PCI Self-Assessment Questionnaire (SAQ)? A validation tool intended to assist businesses to self-evaluate their PCI DSS compliance.
How often does a business need to complete the Self-Assessment Questionnaire (SAQ)? All businesses must complete an annual SAQ. The business will receive an email from TSYS/Sysnet Global Solutions or Merchant Protection Program stating the PCI DSS validation will expire soon. The email will provide a link to the compliance website.
What is a PCI Scan? A quarterly test of system components, processes, and custom software to ensure security controls.
How will a business know if they need to complete a quarterly PCI scan? The business will receive an email from TSYS/Sysnet Global Solutions or Merchant Protection Program informing you of an upcoming PCI DSS scan. The email will provide a link to the scan dashboard.
If you have any questions regarding PCI compliance or your compliance status, contact the compliance support team at 800.571.3928.
Visit bit.ly/SysnetSteps for a Step-by-step user guide.
CUSTOMER SERVICE TIPS
GENERAL TIPS
• If you receive a gratuity greater than 20% of the original sale amount, and the customer is paying by credit card, the recommendation is to process a separate sale for the gratuity. Obtain signatures on both credit card receipts.
• If you process online payments, please verify CAPTCHA and fraud controls are enabled on your website.
• A minimum transaction amount or a surcharge amount cannot be imposed on debit, prepaid, or gift card transactions.
• Partial Authorization may be enabled on your terminal. If the credit card receipt displays “Amount Due” you must collect the remaining balance by another form of payment. • Reconcile your processing statement with your daily settlement report and your Reach Customer Service at 800.563.5981, option 2.
bank statement. Contact customer service if you have any discrepancies.
• We suggest processing a reversal instead of a void. The cardholder will see the pending reversal on their account immediately, however a void can take up to 10 business days. In addition, you cannot void a pin debit transaction. the credit card, you will receive a No Match response and have the option to cancel the transaction
• Security Code Verification (CVV) requires the 3-digit code on the back of the credit card, or the 4-digit code on the front of a American Express credit card. If it doesn’t match the credit card, you will receive a No Match response and have the option to cancel the transaction
• Password Protection requires a password for all returns, reversals, force capture, reports, etc.
• Verify the credit card receipt to make sure the customer name and credit card number on the credit card are identical to the printed credit card receipt
FRAUD CONTROL
If you receive a request to wire money or to ship merchandise out of the country, please call customer service to discuss before processing the transaction.
