(See also: PCI Compliance Fees and Requirements)
What is the PCI Data Security Standard (DSS)?
The Processing Card Industry (PCI) SSC (Security Standards Council) was formed by the PCI Data Security Standard (DSS) in 2004. It is the set of security standards for all companies to meet if they are processing payment card transactions.
The purpose of PCI DSS is to improve cardholder data security and advance the use of consistent data security measures globally. It is a baseline of technical and operational requirements designed to protect cardholder data that applies to all entities that store, process, or transmit cardholder data. The standard supports data security with the rules needed for prevention, detection, and response to security incidents.
Who mandates PCI DSS compliance?
The card brands require businesses that process, store, or transmit card data to be compliant. The card brands also determine how those standards are to be met. A company is PCI DSS compliance when the standards that apply to its payment environment are met.
What is SysNet?
SysNet is Heartland’s preferred Qualified Security Assessor (QSA) guiding security strategies. They are also the Approved Scanning Vendor (ASV) managing the PCI DSS compliance process and streamlining PCI DSS compliance reporting.
SysNet provides a portal and a prioritized process to explain compliance gaps and the steps to fix them.
Why is PCI DSS compliance important?
PCI DSS compliance is important because it protects you and your customers’ data and Heartland is required to report your PCI DSS validation status to the card brands. All business owners accepting cards have agreed to remain compliant.
Can I get help with the PCI DSS compliance process?
Yes, call SysNet and a team member will explain the process.
- SysNet Phone Number: (800) 477-3590
- Hours of Operation: 8:30 AM to 8:00 PM Eastern Time, Monday through Friday
What documentation is needed for PCI DSS compliance?
PCI DSS compliance items include:
- A signed Self-Assessment Questionnaire (SAQ) that passes the PCI SSC standards.
- An ASV scan completion certificate for processing transactions over the internet (IP terminal) or e-commerce, when applicable.
- A completed SysNet portal attestation for the SAQ and Scans.
- A compliance certificate from SysNet, or proof of compliance from a different QSA vendor that is uploaded to the SysNet portal.
Can a Heartland relationship manager or customer care advocate answer questions on the SAQ for me?
No one can answer questions on a SAQ for you. Only you or someone from your organization who knows your payment environment can answer the questions. Heartland relationship managers and any member of the Heartland team are prohibited from completing any portion of your PCI DSS validation. The SAQ includes self-assessment questions designed to ensure your environment is secure. If a Heartland team member answers these questions they could give you a false sense of security and leave you vulnerable to a data breach. A SysNet team member can explain the questions to help you understand how to answer them and explain next steps in the process.
How can I validate PCI DSS compliance?
Log into the The Heartland SysNet Portal to view your PCI DSS status or contact SysNet at (800) 477-3590.
How do I log in to the SysNet portal?
Find your PCI DSS compliance credentials, an email from SysNet, and follow the instructions.
What if I cannot find my credentials email from SysNet?
Verify the email address on the Details page in InfoCentral. If you need the email address changed or if you cannot find your email, contact SysNet for assistance. If you do not have an active email address you can request a paper copy of the SAQ from SysNet.
What if I do not know my password for the SysNet portal?
Contact SysNet at (800) 477-3590 (select option 1). Ask for a password reset, be prepared to provide your Merchant ID number and Doing Business As (DBA) Name for your accounts.
What if I have validated my compliance through another solution?
Log into the SysNet portal to upload your certificate of attestation.
What is the benefit of a view merge in the Synergy portal?
A view merge allows you to combine SysNet portal access and information for all Merchant ID numbers in the view merge:
- One login for all accounts
- View the combined PCI DSS status
- Manage the PCI DSS
- Your SAQ is copied to all other accounts
How do I request a view merge in the Synergy portal?
Contact SysNet at (800) 477-3590 (select option one). Be prepared to provide the Merchant ID numbers and contact information for your accounts.
What is an SAQ copy over?
When multiple locations use one SAQ it is a copy over. If multiple locations process card transactions through the same processing method and the same connectivity, one SAQ might be approved for copy over to the other locations by the Heartland PCI DSS Compliance Team.
Am I required to keep my business PCI DSS compliant?
All entities who process, store, or transmit card data are required to validate the PCI DSS compliance of their business. If legitimate technical or documented business constraints prevent compliance with an explicit requirement, other controls that sufficiently mitigate the risk are considered.
What happens if my business is not PCI DSS compliant?
A PCI DSS non-compliance fee is assessed if you have not validated PCI DSS compliance using the SysNet portal or another method. It might also mean that your business is vulnerable to a data breach.
What is this PCI DSS non-compliance fee for?
All entities who process card data are required to validate PCI DSS compliance. Those who have not gone through the process to validate the PCI DSS compliance of their business are considered non-compliant. The fee is assessed to those who are non-compliant.
Is the non-compliance fee billed when my seasonal business is closed?
You will not be billed for scheduled closed months unless you process a transaction during the month.
Will PCI DSS non-compliance notification be sent to me?
You will be notified of non-compliance on your statement and SysNet will also send you an email.
Why am I being charged a PCI DSS non-compliance fee?
You have not validated PCI DSS compliance with SysNet or provided documentation from another Qualified Security Assessor (QSA) vendor validating you are PCI DSS compliant.
How can I avoid the PCI DSS non-compliance fee?
When you validate your PCI DSS compliance, you will no longer be billed the non-compliance fee. You can work with SysNet. It is a relatively simple process: Log into your ControlScan account and complete the PCI DSS SAQ and Quarterly Network Vulnerability Scans, when applicable. You can also provide Heartland with the documents from another QSA.
How much is the non-compliance fee, and how often is it billed?
The PCI DSS Non-Compliance Fee is charged per merchant ID, per month as long you are non-compliant.
Can I get a refund for the PCI DSS non-compliance fee?
Refunds are not given. If you go through the process to validate your PCI DSS compliance, you can avoid future fees.