(See also: PCI Compliance FAQs)
What is PCI DSS?
The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally.
- PCI DSS provides a baseline for technical and operational requirements designed to protect cardholder data.
- PCI DSS applies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers, service providers, and all other entities that store, process, or transmit cardholder data.
- The standard provides an actionable framework for developing and maintaining data security, including preventing, detecting, and responding to security incidents.
Why is PCI important to your business?
All merchants, no matter who is doing their processing, are required to validate that they are PCI compliant. Heartland has been a leader in data security for over a decade. Your customers’ card data and the health of your business is of the utmost importance to us.
As a value, you are using the Heartland PCI Merchant Protection Plan, at no additional cost to you. This gives you access to the third-party data security company that we have partnered with, Aperia, to assist you with achieving and maintaining your PCI compliance. Other data security companies that provide PCI validation can cost up to $100 per month.
Can I get help with the PCI DSS compliance process?
Yes, you can call Aperia at 844-204-0412 for walk-through help with the process. This is a self-assessment questionnaire. Only merchants or someone from their organizations who know the payment environment will be able to answer these questions. Aperia can explain what the questions mean to help you understand how to answer.
What are the PCI compliance fees?
PCI compliance fees:
- If compliance requirements are not met, a monthly non-compliance fee is charged.
- Card Compromise Assistance Plan (CCAP) monthly fee: Optional if compliant and required if non-compliant.
Can I get a refund for a PCI DSS compliance fee?
The PCI DSS compliance fee is non-refundable. It is on your Merchant Agreement and all merchants are charged this fee monthly.
What if I forgot my Aperia portal password?
First try to find your credential email from Aperia, select the link for the Aperia portal from the email, and then follow the instructions. The credential email has a link with an auto-generated password that you must change and answer security questions. If that does not work, call merchant services and confirm your email address for Aperia. Update the email address, and request a password reset email if needed.
What is the Non-PCI compliance fee for?
The Non-Compliance Fee is assessed if you are not PCI compliant. No fee is charged if you are compliant.
Do I need to verify PCI compliance for my business again if I did it last year?
The PCI compliance needs to be done on an annual basis, once a year. Also, a quarterly scan is needed every 90 days for businesses that use the internet or wireless networks. Contact Aperia for details.
What if I decide not to verify PCI Compliance for my business?
If your business is non-compliant:
- You are charged a monthly non-compliance fee.
- You are required to remain enrolled in the CCAP for a monthly fee.
- In the event of a data breach or fraudulent transaction, you are held liable and will be responsible for any associated costs, including:
- Forensic audit costs
- Card replacement costs
- Compliance fines
- Costs associated with lost productivity
- Costs associated with reputation damage
Why wasn't I notified about the PCI Compliance fees?
You are only notified of the PCI compliance fees through statement messages if there is a change to your account. You should be aware of this fee because you agreed to it in your contract.
Do I have to answer the questions on the Self-Assessment Questionnaire (SAQ)?
Only you or someone from your organization who knows your payment environment will be able to answer the questions. The SAQ has self-assessment questions designed to ensure your environment is secure. An Aperia team member can explain the questions to help you understand how to answer them and explain the other steps in the process.
What are the penalties for non-compliance?
The payment associations may, at their discretion, fine thousands of dollars for PCI Compliance violations such as data breaches. There is an educational video detailing this information on the PCI Compliance section of the CPAY website.
How often does the SAQ need to be done?
The SAQ is required annually.