PCI Data Security

Make data security a priority

Our Level 3 processing solutions have built in tokenization security.   If cardholder data is directly entered into your software application, it is considered to be a payment application and falls in scope for PCI.   Tokenization (storing customer profiles off site) is the best practice when designing your card acceptance strategy, eliminating the risk of exposing the actual sensitive data while making it faster, easier and less expensive to meet quarterly and/or annual PCI compliance requirements.

What is PCI?

PCI is short for PCI DSS which is short for Payment Card Industry Data Security Standard.  PCI is the data protection standard for payment card data security and how that protection should be implemented. In practice, this means that PCI is not only good for protecting card data but other payment data like bank account information or any personally identifiable information you may have about your customers and employees.  Specifically, PCI prohibits the storage of the full contents of any magnetic-stripe, CVV2 or PIN data.  Storage of this type of data is in violation of PCI DSS and the card company operating regulations.  It also provides security requirements for transmitting card data.

PCI Compliance is a requirement

If you accept card payments, the card associations require that all merchants validate PCI DSS compliance.  Businesses not in compliance risk compromise, fines, and jeopardize their ability to accept card payments.  At a minimum all businesses accepting card payments should complete the Self Assessment Questionnaire (SAQ).  Once the SAQ is complete, you may find that your business requires vulnerability scanning if you transmit card data over the internet. 

Note the SAQ that represents how you accept card payments:

  • SAQ A – Card-not-present Merchants, All Cardholder Data Functions Outsourced (an example of this is the use of a hosted shopping cart, checkout page or tokenization solution).  
  • SAQ B – Merchants with Only Imprint Machines or Only use Dial-Out Terminals / POS systems over phone lines, or wireless terminal with a SIM chip. No Electronic Cardholder Data Storage.
  • SAQ C-VT – Merchants with Web-Based Virtual Terminals, No Electronic Cardholder Data Storage. 
  • SAQ C – Merchants with Payment Application Systems Connected to the Internet, No Electronic Cardholder Data Storage. 
  • SAQ D – All Other Merchants including those using WiFi networks and All Service Providers Defined by a Payment Brand as Eligible to Complete an SAQ. 

To learn more about PCI and compliance, visit our PCI resource page at http://www.vantagecard.com/pci.

There is a difference between security and compliance

While PCI compliance is a mandated point-in-time measurement of your security readiness, the underlying security requirements must be adhered to on a daily basis. In the event of a data compromise, merchants face significant fees and fines. The PCI DSS Validation does not affect your responsibilities associated with your merchant account in the event of a data compromise.

To keep sensitive data off your network and systems, we recommend that you use a token in place of the original payment data. This is of particular importance in a business-to-business and business-to-government sales environment where repeat and recurring orders are the norm.  Use our Secure Checkout feature to avoid becoming the target of data security attacks by getting out of the business of transmitting, processing and storing sensitive card data.

Please Contact us with questions about PCI or solutions to safe guard payment data.

Contact Us for a Free Consultation