What does PCI stand for?
PCI stands for Payment Card Industry, taking this a step further would be to use the term PCI DSS which means Payment Card Industry Data Security Standard.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. Essentially any merchant that has a Merchant ID (MID).
The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process. The PCI DSS is administered and managed by the PCI SSC (www.pcisecuritystandards.org), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.).
Who created PCI-DSS?
PCI-DSS was created by the five largest credit companies – including Visa, Mastercard, American Express, Discover and JCB International – to help in the fight against credit card fraud. PCI-DSS were rules promulgated by the Payment Card Industry Security Standards Council (PCI-SSC), which is the governing body and open forum responsible for developing, managing, educating and raising awareness of the relevant PCI standards.
Is PCI-DSS the law?
No. PCI-DSS is not the law. There’s been no federal or state legislative body that’s stepped in to promulgate PCI rules or regulations. PCI-DSS exists today as a matter of contract. PCI-DSS is a creation of the five major credit card brands. When you, as the merchant, decide to accept payment with credit cards bearing the Visa, Mastercard, American Express, Discover or JCB logo, you have agreed to maintain PCI compliance under the terms of your agreement with each of the card brands or their authorized agents.
Why does PCI exist?
PCI-DSS exists to help you, as a merchant, safely and securely store, process and handle sensitive customer data. Again, any business that accepts credit cards are subject to the PCI standards.
To whom does PCI apply?
PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.
Do organizations using third-party processors have to be PCI compliant?
Yes. Merely using a third-party company does not exclude a company from PCI compliance. It may cut down on their risk exposure and consequently reduce the effort to validate compliance. However, it does not mean they can ignore PCI.
What constitutes a Service Provider?
Any company that stores, processes, or transmits cardholder data on behalf of another entity is defined to be a Service Provider by the Payment Card Industry (PCI) guidelines.
My business has multiple locations, is each location required to validate PCI Compliance?
If your business locations process under the same Tax ID, then typically you are only required to validate once annually for all locations. You would also need to submit quarterly passing network scans by a PCI SSC Approved Scanning Vendor (ASV), if applicable. If each business location has it's own Tax ID, then a new PCI compliance form is required per location.
What PCI-DSS requirements do I need to follow?
Well, that depends. Depending on a merchant’s annual transaction volumes, it could fall under one of four different levels for compliance purposes, and each level has different requirements and obligations.
What is a payment gateway?
Payment Gateways connect a merchant to the bank or processor that is acting as the front-end connection to the Card Brands. They are called gateways because they take many inputs from a variety of different applications and route those inputs to the appropriate bank or processor. Gateways communicate with the bank or processor using dial-up connections, Web-based connections or privately held leased lines.
Processing flow:
Club Entity (Merchant) > ClubReady (Service Provider) > Gateway > Merchant Processor (communicates with end-users bank) > Merchant's Bank.
What is the definition of merchant?
For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers.
What are the four different merchant levels? How are they determined?
Merchant levels are tied to total Visa transactions run over a 12-month period. Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant’s “DBA,” or “doing business as.” Visa defines merchant levels by the following criteria:
Level |
Description |
1 |
Any merchant, regardless of acceptance channel, processing over 6,000,000 Visa transactions per year. |
2 |
Any merchant, regardless of acceptance channel, processing 1,000,000 to 6,000,000 Visa transactions per year. |
3 |
Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year. |
4 |
Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants – regardless of acceptance channel – processing up to 1,000,000 Visa transactions per year. |
Most ClubReady subscribers will be considered Level 4 merchants.
What does a small-to-medium sized business (Level 4 merchant) need to do in order to satisfy the PCIDSS requirements?
Complete the following steps:
- Determine which Self-Assessment Questionnaire (SAQ) your business should use to validate compliance.
- Complete the SAQ according to its instructions.
- If applicable, complete and obtain evidence of a vulnerability scan with a PCI-SSC Approved Scanning Vendor (ASV). Note: scanning does not apply to all merchants – it’s only required for SAQ-A-EP; SAQB-IP; SAQ C; SAQ D-Merchant; and SAQ D-Service Provider.
- Complete the relevant Attestation of Compliance (AOC) in its entirety (found in the SAQ tool).
- Submit the SAQ, evidence of a passing scan (if applicable), and the AOC, along with any other requested documentation, to your acquirer.
What is the PCI Self-Assessment Questionnaire (SAQ)?
A: The SAQ is a set of data security requirements (technical and non-technical) in the form of a questionnaire designed to ensure you are handling payment transactions in a secure manner relevant to your business profile. Here are helpful tips that may help answer your questions, or the questions they may ask:
1. The ClubReady system is a Virtual Terminal
2. ClubReady is PCI compliant and is certified with the card brands specifically for PCI
3. You do not store card or cardholder data in your system for POS or recurring payments. The ClubReady system gathers and stores all card and cardholder data electronically on your behalf
4. ClubReady truncates the card number so only the last 4-digits are displayed in the member profile and POS screen
How do I know which SAQ to use?
If you have questions about the correct SAQ, the SecureTrust™ tool can be used to guide you to the right form. Please note that ClubReady cannot provide you with legal advice or the correct SAQ to use.
Where can I find more in-depth information on the SAQ process and PCI-DSS in general?
The Payment Card Industry Security Standards Council website includes some great resources, including SAQ instructions and guidelines (available here).
Where does ClubReady fall in the spectrum of parties providing a payment service.
ClubReady is a “payment facilitator,” or “PayFac.”
One common misconception is ClubReady is a payment processor: we’re not. ClubReady has partnered with Worldpay, Inc. (“Worldpay”), a third party, for its payment processing services. Although somewhat oversimplified, it’s fair to think of Worldpay as the “rail network” upon which ClubReady’s “payments engine” runs.
As a payments facilitator, ClubReady has its own proprietary technology, CR Payments™, which enables seamless credit card processing through the ClubReady System. ClubReady is set up as the primary merchant account holder and you, our subscriber, are set up as our sub-merchant.
From a PCI-DSS perspective, ClubReady has heightened compliance obligations over and above the typical merchant.
If I’m a fully-managed subscriber to the ClubReady System and ClubReady has met its PCI obligations, can’t I just piggy-back on that and say I’m compliant too?
Unfortunately, no. Even as a sub-merchant, because you accept credit card payments at the club or studio level, you will be required to maintain some level of PCI compliance. Again, cardholder theft can occur at any point of weakness in the chain of making credit card payment. This includes any point of weakness originating at the club or studio level (for example, at the sales desk or point-of-sale kiosk). There’s no such thing as a “passthrough” for PCI compliance efforts. While ClubReady’s PCI compliance efforts do benefit our entire subscribership, including you, individual sub-merchants/subscribers must take appropriate steps of their own to do their part and validate their own PCI compliance efforts.
But what if I don’t actually store any credit card data at my club or studio? Does PCI still apply?
Yes. If you accept credit or debit cards as a form of payment, and those credit or debit cards bear the logo of Visa, Mastercard, American Express, Discover or JCB, then the PCI standards will apply to you.
What happens if I don’t comply? What are the consequences?
The worst consequence of a failure to comply with PCI requirements is you suffer a data breach, cardholder data is lost, and your business suffers financially as a result. Separate and apart from monies that may have to be paid out in claims, a data breach could tarnish your reputation and keep new business away.
Putting aside the unfortunate possibility of a data breach, failing to comply with PCI standards creates potential liability for the other parties within the chain of payment services. For example, the card brands may, at their choosing, fine the acquiring bank – which is the bank linked to the primary merchant account – between $5,000 and $1,000,000 per month for PCI compliance violations. These banks will most likely pass along the fine until it eventually hits you at the merchant level. It’s likely the bank would also terminate its business relationship with you, or ClubReady, or increase its transaction fees across the board to make up for its losses. Penalties are not widely discussed or publicized, but they can be extremely harmful to a business. It’s definitely in your and everyone else’s interest to comply with PCI-DSS.
What is ClubReady required to do to maintain PCI compliance?
As a payment facilitator, ClubReady is required to maintain heightened PCI compliance standards from typical merchants. Each year, we invest thousands of dollars in the security of our technology systems and are constantly refining our processes. Each year, to maintain PCI compliance, ClubReady is required to undergoes a rigorous audit by an independent third-party security firm.
It’s important to note that PCI compliance is one facet of a broader data security plan. Although ClubReady has made an intentional choice not to broadcast our security measures to potential bad actors, ClubReady employs both on-line and off-line measures to protecting Subscriber and End User Data. Those interested in learning more can review ClubReady’s Privacy Policy or request a copy of our Data Security Whitepaper.
Why am I charged a “PCI Fee”?
The costs associated with implementing, overseeing and managing a comprehensive security program, including maintaining PCI compliance, are significant. These costs add up to tens of thousands of dollars each year. ClubReady charges our subscribership a “PCI fee” to help cover the administrative costs of maintaining these programs and maintaining PCI compliance at the level of a service provider. ClubReady, as a payment facilitator and holder of the primary merchant account, has a significant interest in seeing that all of our subscribers (as sub-merchants) maintain PCI compliance. A portion of the PCI fee goes toward covering the cost of oversight and providing tools and other resources that support our collective PCI compliance efforts.
Can the full credit card number be printed on the consumers copy of the receipt?
PCI DSS requirement 3.3 states Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed). While the requirement does not prohibit printing of the full card number or expiry date on receipts (either the merchant copy or the consumer copy), please note that PCI DSS does not override any other laws that legislate what can be printed on receipts (such as the U.S. Fair and Accurate Credit Transactions Act (FACTA) or any other applicable laws). See the italicized note under PCI DSS requirement 3.r PCI DSS requirement 3.
Does ClubReady provide any specific tools that will help me comply? What is SecureTrust™?
You, like ClubReady, have your own PCI compliance obligations as a merchant. You are not responsible for ClubReady’s compliance efforts, nor are we responsible for yours. PCI compliance is a creature of contract and dictated by common sense – we both have an affirmative obligation to do our part.
That said, ClubReady may, from time to time, provide our subscribership with access to certain tools and other resources that can be used to aid in meeting one’s PCI compliance obligations. One of these tools is called SecureTrust™. Although SecureTrust™ can’t guarantee compliance, or “do the work for you,” this tool can help pin-point trouble areas, provide more in-depth answers on PCI-related questions, and guide the SAQ submission process.
It’s important to note that SecureTrust™ is a third-party not affiliated with ClubReady in any way. Questions about SecureTrust™ can be directed to SecureTrust at (800) 363-1621, or at support@validatepci.com.
How should I go about filling out my PCI compliance survey?
If the studio has already been registered but not completed the survey, reach out to SecureTrust. Secure Trust has an online platform to manage your account, services, and initiate online chat https://portal.securetrust.com/. They also will provide email and phone support if you prefer, support@validatepci.com and (312) 267-3212 option 1. Phone support includes all countries and is available 24 hours a day and 7 days a week year round, including holidays.