PCI Compliance

To access and validate your account please complete the
“PCI DSS Self Assessment Questionnaire (SAQ)”

Learn more about
PCI Protection Plan from Pace Payment Systems

What is PCI? The Payment Card Industry (PCI) Data Security Standards are a set of rules that are regulated and mandated by the major credit card associations (Visa, MasterCard, Discover Card and American Express). These rules are passed on to the consumers, as well as all companies in the processing chain. To reduce the risk of lost, stolen or otherwise exposed sensitive cardholder data, this compliance is required to be upheld for all entities that accept credit cards.

What does PCI mean to me? All merchants who accept credit cards as a form of payment for services or goods must have a program in place, whether it is at the merchant level or at the processor’s level. Both entities must abide by the regulations set by the card associations to assure that all cardholder data is always in a secure environment.

Who is at risk? Any merchant who accepts credit cards from the biggest corporations to the smallest “mom & pop” shops are vulnerable to a security breach. Food and beverage merchants accounted for 57% of breached entities followed by retailers at 18%, hospitality merchants at 10%, and government and financial companies, each with 6%. Hospitality was the leader in 2009, but Trustwave* noted that a major organized crime group that earlier targeted mainly hotels expanded its focus to restaurants in 2010. This ring may have been involved in 36% of the breaches.

Who else is billing this? Leaders in the payments industry are focusing on the most vulnerable problems and where technology solutions can do the most good for the lowest cost. So regardless of the processor, the technology and compliance applications are a requirement. We are mindful that, while security is a necessary thing, it doesn’t significantly add to a merchant’s ability to sell more goods and services. Without good security, however, a merchant’s ability to sell can certainly be affected.

Why a PCI Fee? Visa strongly encourages payment application vendors such as Pace Payment Systems to develop and conform their products to the PCI-DSS standards. These applications help merchants and the agents to mitigate compromise, prevent storage of sensitive cardholder data, and support overall compliance with PCI-DSS standards. Since cost is a large factor in choosing technology, most of the smaller merchants choose public lines. However, “Risk” is a trade-off for “Cost”, and we at Pace Payment Systems will strive to always maintain and uphold our end to assure that cardholder data is never at risk.

Our solution is to use the additional technology to remain compliant, while keeping our cost reasonable for all. 

 

Instructions

As part of the industry initiative, all merchants must complete an SAQ. Please follow these steps to complete your SAQ:

Step 1. Click on the letter of the SAQ from the table below that corresponds to your method of processing.
Step 2. Print and complete the SAQ to the best of your knowledge.
Step 3. Sign and fax the SAQ to 818-700-3106. You may also scan the signed form and email to PCISaq@paceps.com.

If you need assistance with determining which SAQ you should complete, please contact our Customer Service Department at 888-690-7555 Ext: 2

If you are in need of a hardcopy form, open the appropriate form from the table below and print.

 

SAQ Version Table and SAQs

The PCI DSS Self Assessment Questionnaire (SAQ) is a tool designed to assist merchants in determining their level of compliance. The SAQ version to be used is dependent upon the method of card acceptance. Outlined below are the most commonly used SAQ validation types, which correspond to the appropriate SAQ version. 

 

Merchant Type

 
Description

 
Form to be Completed

 

1

 

Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants. 

 

A (Download pdf)

 

2

 

Imprint-only merchants with no electronic cardholder data storage.
This Validation Type applies to those merchants who take card information manually and subsequently submit transactions for processing by phone via the Automated Response Unit (ARU).

 

B (Download pdf)

 

3

 

Stand-alone terminal merchants, no electronic cardholder data storage.
This SAQ should be used by those merchants who take any amount of face-to-face transactions and swipe or key card information into a terminal, software or gateway.

 

B (Download pdf)

 

 

SAQ Instructions and Guidelines Document

 

How does PCI DSS apply to my company?
PCI DSS applies to all entities that accept, process, store, and/or transmit transaction information. Requirements apply regardless of company size or volume of transactions. To put it simply, if a card or card number is accepted and/or processed for payment, PCI DSS applies to your business.

What are the PCI DSS requirements?
The PCI DSS requirements are overseen by the PCI Security Standards Council, an organization formed in 2006 by the major card brands. Requirements are available on the PCI Security Standards Council’s website (link provided below). Also, Pace Payment Systems provides the Self Assessment Questionnaire (SAQ) to assist you in determining your current status of compliance.

What cardholder information is considered ” cardholder data “?
Cardholder data pertains to more than simply the card account number. Any personally identifiable information that is associated with your customer is considered cardholder data. This includes, but may not be limited to, the card account number, expiration date, Card Verification Value, cardholder’s billing and shipping addresses, Social Security Number, etc.

What is the deadline for PCI DSS compliance?
Compliance with PCI DSS requirements is mandatory now. Pace Payment Systems will continue to provide assistance and keep you informed of current and updated information on PCI DSS requirements.

What if I determine that my operations are not PCI DSS compliant?
If after review of the PCI DSS guidelines it is determined that your business is not yet compliant, please contact our Customer Service Department at the number listed below for assistance. You may wish to obtain assistance in bringing your organization up to PCI standards from a Qualified Security Assessor and/or Approved Scanning Vendor. You may access the current list for each from the links provided below.

What are the penalties for non-compliance?
It is essential to keep in mind that should any type of breach occur, it could potentially cost a business thousands upon thousands of dollars. These expenses could include compliance fines handed down from the card associations, as well as the costs to replace cards involved and the fraudulent usage resulting from those cards. Compliance with mandated PCI requirements to help ensure security may save your company from these highly costly issues.

You are required to submit a completed Self-Assessment Questionnaire (SAQ) or Report on Compliance/Report or Validation from a Qualified Security Assessor (QSA) to Pace Payment Systems. Beginning in April 2013, a non-compliance fee will be assessed to your account monthly, until your account is in compliance. The forms for the SAQ are included in this website (see above) and either the SAQ or completed report from a QSA must be signed and can be submitted to us via email to PCISaq@paceps.com, by fax at 818-700-3106 or postal mail using the contact information contained on this website.

QSA Compliant Verification
If your business have already completed a verification process with a Qualified Security Assessor (QSA), please submit a completed Report on Compliance or Report on Validation. You may submit the form to us via email, fax or postal mail using the contact information below. If you do not have either of these documents, please provide the completed report or other acknowledgement provided to you from your QSA. Upon verification, your merchant account will be removed from the monthly non-compliance fee.

Additional Information and Links on PCI
Each of the major card brands maintains its own set of regulatory data security requirements. Along with the link to the PCI SSC, below you may access each program’s specific guidelines. Also provided for your support is a glossary of PCI DSS terminology.


Contact Us

Email:

PCIQuestions@paceps.com

Fax:

(818) 700-3106

Phone:

(888) 690-7555, Ext: 2
8a.m. – 5p.m PST, Monday through Friday

 

 

 

Pace Payment Systems, Inc., Credit Card � Merchant Services, Nashville, TN