Level 1 PCI Compliance
e-onlinedata works only with Level 1 Compliant Service Providers. Level 1 Service Providers must adhere to the strictest data security standards and must undergo and document an annual on-site PCI Data Security Assessment and quarterly vulnerability scans.
Visa: PCI Compliant Service Providers
MasterCard: PCI Compliant Service Providers
- Working with You to Protect Your Business and Your Customers
Payment Card Industry (PCI) compliance refers to a set of data security guidelines designed by the Payment Brands specifically to keep customers’ account data from being compromised. As technology aimed at breaches evolves, and instances of theft continue to increase, data security is more important than ever. e-onlinedata is dedicated to working with you to protect your customers and your operations and by helping you ensure that your business is PCI compliant.
- The Importance of PCI Compliance
Businesses that are PCI compliant not only help protect their customers’ information, they also portray a positive and trustworthy business image and build success by developing a high level of customer confidence. By being PCI compliant, you will help protect your business from breaches that can lead to significant fines, penalties, liability issues, a loss of productivity, and severe damage to business reputation. While following PCI requirements does not absolutely guarantee 100% protection against a breach, being PCI compliant does absolutely increase data security and helps protect businesses from easily avoidable threats.
- The Responsibility of Merchants and Service Providers
The area of PCI compliance which applies to merchants is called the PCI Data Security Standard (PCI DSS). The PCI DSS consists of 12 requirements
developed by the PCI Security Standards Council. Any merchant or service provider (i.e. payment gateway, shopping cart, web hosting company, etc.) that accepts, handles, stores, or transmits credit card information is required by the Payment Brands to validate PCI compliance every year. Validate PCI Compliance by following the steps outlined on the PCI compliance website. Once complete, please submit your validation documentation to e-onlinedata’s PCI Compliance Team. Compliance requirements continue to evolve as businesses change and new data security threats emerge. Taking the steps to be PCI compliant on an ongoing basis will help you to make sure you maintain a high level of security for your business and your customers.
- PCI Compliance Validation Already Validated PCI Compliance?
Merchants who have validated PCI compliance should send a copy of the submitted Attestation of Compliance and Self-Assessment Questionnaire (SAQ) as well as passing vulnerability scanning documentation, if applicable, to E-onlinedata’s PCI Department. Please Contact the E-onlinedata PCI Compliance Team to let us know if you have validated. All merchants who have not submitted validation documentation will be enrolled in the PCI Toolkit program with the exception of merchants who qualify as “dial up terminal” or “touch tone” only merchants. These merchants will be mailed a paper version of the appropriate Self Assessment Questionnaire for completion and return to E-onlinedata.
- PCI Toolkit
In order to make the required validation process simple and easy, E-onlinedata has partnered with PCI Toolkit, an Internet-based program which will walk merchants through the Self-Assessment Questionnaire (SAQ), and also set up vulnerability scans for processing systems with Internet connectivity. The PCI Toolkit is designed to help educate merchants on the steps that need to be taken to be PCI compliant. Additionally, if your business needs policy and procedures in place to become PCI compliant, PCI Toolkit will help you develop them. Please Contact the E-onlinedata PCI Compliance Team to enroll in this service.
- Validation Requirements
All merchants and service providers must fulfill this requirement. The Attestation of Compliance
can be found at the beginning of the SAQ. You need to fill out the SAQ appropriate for your business model (see SAQ A-D below). Please take measures to fill out the questionnaire correctly. Submissions may be reviewed if merchants are compromised, risk rated, or randomly audited. The SAQ is especially important because it details how businesses should operate in order to keep payment card data secure. Complete the Attestation of Compliance and Self-Assessment Questionnaire (SAQ) annually. All merchants and service providers must fulfill this requirement. The Attestation of Compliance can be found at the beginning of the SAQ. You need to fill out the SAQ appropriate for your business model (see A-D below). Please take measures to fill out the entire questionnaire correctly. Submissions may be reviewed if merchants are compromised, risk rated, or randomly audited. The SAQ is especially important because it details how businesses should operate in order to keep payment card data secure.
Tips for Minimizing Your Validation Requirements
Do not store credit card data that you don’t absolutely need.
It is not permissible to store more than the first six and last four digits of a payment card number, and you may not store the security code on the back of a card under any circumstances. The level of data security risk goes up with the amount of data stored. Proof of receipt is not a good reason to store a full credit card number, and doing so puts you at a significantly higher threat of a breach and also makes your PCI compliance validation more complicated, time consuming, and more costly to complete.
Use alternative methods of storing data if you absolutely must hold onto it.
An example of using a different method for storing data for purposes such as recurring billing is to use a PCI compliant gateway that features storage options. Outsourcing this instead of storing the data yourself frees you from this particular source of risk.
Follow the PCI SSC’s Dos & Don’ts guidelines for additional tips on payment card data storage.