(See also: PCI Compliance Fees and Requirements)
What is the PCI Data Security Standard (DSS)?
The Processing Card Industry (PCI) SSC (Security Standards Council) was formed by the PCI Data Security Standard (DSS) in 2004. It is the set of security standards for all companies to meet if they are processing payment card transactions.
The purpose of PCI DSS is to improve cardholder data security and advance the use of consistent data security measures globally. It is a baseline of technical and operational requirements designed to protect cardholder data that applies to all entities that store, process, or transmit cardholder data. The standard supports data security with the rules needed for prevention, detection, and response to security incidents.
Who mandates PCI DSS compliance?
The card brands require businesses that process, store, or transmit card data to be compliant. The card brands also determine how those standards are to be met. A company is PCI DSS compliance when the standards that apply to its payment environment are met.
What is Aperia?
Aperia is Heartland’s preferred Qualified Security Assessor (QSA) guiding security strategies. They are also the Approved Scanning Vendor (ASV) managing the PCI DSS compliance process and streamlining PCI DSS compliance reporting.
Aperia provides a portal and a prioritized process to explain compliance gaps and the steps to fix them.
How is Heartland PCI Protection Valueable?
Heartland has been a leader in data security for over a decade. Your customers’ card data and the health of your business is of the utmost importance to us. As a value, you are using the Heartland PCI Merchant Protection Plan, at no additional cost to you, which gives you access to the third-party data security company that we have partnered with, Aperia, to assist you in achieving and maintaining your PCI compliance. Other data security companies that provide PCI validation can cost up to $100 per month.
Why is PCI DSS compliance important?
PCI DSS compliance is important because it protects you and your customers’ data and Heartland is required to report your PCI DSS validation status to the card brands. All business owners accepting cards have agreed to remain compliant.
Can I get help with the PCI DSS compliance process?
Yes, call Aperia and a team member will help walk you through the process.
- Aperia phone number: (844) 204-0412
- Hours of operation: 8:00 a.m. to 8:00 p.m. Eastern Time, Monday through Friday
Tip: The compliance process is a self-assessment questionnaire. Only the merchant or someone from their organization who knows their payment environment is able to answer the questions. Aperia explains what the questions mean to help you understand how to answer.
What documentation is needed for PCI DSS compliance?
PCI DSS compliance items include:
- A signed Self-Assessment Questionnaire (SAQ) that passes the PCI SSC standards.
- An ASV scan completion certificate for processing transactions over the internet (IP terminal) or e-commerce, when applicable.
- A completed Aperia portal attestation for the SAQ and scans.
- A compliance certificate from Aperia, or proof of compliance from a different QSA vendor that is uploaded to the Aperia portal.
Can a Heartland relationship manager or customer care advocate answer questions on the SAQ for me?
No one can answer questions on a SAQ for you. Only you or someone from your organization who knows your payment environment can answer the questions. Heartland relationship managers and any member of the Heartland team are prohibited from completing any portion of your PCI DSS validation. The SAQ includes self-assessment questions designed to ensure your environment is secure. If a Heartland team member answers these questions they could give you a false sense of security and leave you vulnerable to a data breach. An Aperia team member can explain the questions to help you understand how to answer them and explain next steps in the process.
How can I validate PCI DSS compliance?
Log into the Aperia Merchant Protection Portal to view your PCI DSS status or contact Aperia at (844) 204-0412.
How do I log in to the Aperia portal
Find your PCI DSS compliance credentials, an email from Aperia, and follow the instructions.
What if I cannot find my credentials email from Aperia?
Verify the email address on the Details page in InfoCentral. If you need the email address changed or if you cannot find your email, contact Aperia for assistance.
What if I do not know my password for the Aperia portal?
Contact Aperia at (844) 204-0412, and then ask for a password reset. Be prepared to provide your Merchant ID number and Doing Business As (DBA) name for your accounts.
What if I have validated my compliance through another solution?
Log into the Aperia portal to upload your certificate of attestation.
What is the benefit of a view merge in the Aperia portal?
A view merge enables you to combine Aperia portal access and information for all Merchant ID numbers in the view merge:
- One login for all accounts
- View the combined PCI DSS status
- Manage the PCI DSS
- Your SAQ is copied to all other accounts
How do I request a view merge in the Aperia portal?
Contact Aperia at (844) 204-0412 (select option one). Be prepared to provide the Merchant ID numbers and validate the contact information for your accounts.
What is an SAQ copy over?
When multiple locations use one SAQ it is a copy over. If multiple locations process card transactions through the same processing method and the same connectivity, one SAQ might be approved for copy over to the other locations by the Heartland PCI DSS Compliance Team.
Am I required to keep my business PCI DSS compliant?
All entities who process, store, or transmit card data are required to validate the PCI DSS compliance of their business. If legitimate technical or documented business constraints prevent compliance with an explicit requirement, other controls that sufficiently mitigate the risk are considered.
What happens if my business is not PCI DSS compliant?
A PCI DSS non-compliance fee is assessed if you have not validated PCI DSS compliance using the Aperia portal or another method. It might also mean that your business is vulnerable to a data breach.
What is this PCI DSS non-compliance fee for?
All entities who process card data are required to validate PCI DSS compliance. Those who have not gone through the process to validate the PCI DSS compliance of their business are considered non-compliant. The fee is assessed to those who are non-compliant.
Is the non-compliance fee billed when my seasonal business is closed?
You will not be billed for scheduled closed months unless you process a transaction during the month.
Will PCI DSS non-compliance notification be sent to me?
You will be notified of non-compliance on your statement and Aperia will also send you an email.
Why am I being charged a PCI DSS non-compliance fee?
You have not validated PCI DSS compliance with Aperia or provided documentation from another Qualified Security Assessor (QSA) vendor validating you are PCI DSS compliant.
How can I avoid the PCI DSS non-compliance fee?
When you validate your PCI DSS compliance, you will no longer be billed the non-compliance fee. You can work with Aperia. It is a relatively simple process: Log into your ControlScan account and complete the PCI DSS SAQ and Quarterly Network Vulnerability Scans, when applicable. You can also provide Heartland with the documents from another QSA.
How much is the non-compliance fee, and how often is it billed?
The PCI DSS Non-Compliance Fee is charged per merchant ID, per month as long you are non-compliant.
Can I get a refund for the PCI DSS non-compliance fee?
Refunds are not given. If you go through the process to validate your PCI DSS compliance, you can avoid future fees.