How to Keep Your PCI Compliance Status Up-to-Date
Maintaining your business’ PCI (Payment Card Industry) Compliance should be taken very seriously. Protecting your business from the potential loss of valuable information and preserving your customers’ trust should always be a priority. We sat down with our compliance expert Fernando and asked him to shed some light on what’s involved in keeping your business PCI compliant at all times.
Where do you start?
Within 14 days of boarding your merchant account with us, we create a merchant profile for you in the PCI Compliance Portal. The system then automatically deploys a welcome email to the email address provided by you on the merchant application. The welcome email has all the information you need.
Your first temporary login is set to your Merchant ID. Once you log in for the first time, the system will ask you to change the default login to your email address. If your merchant account has been with us for a while and we see that it is still not PCI compliant, you would get reminders from us every now and then, because it’s in our best interest to make sure you complete the steps to lower the risk of a data breach at your business.
What’s involved in being PCI Compliant?
There are two things that most accounts need to complete to become PCI compliant – Self Assessment Questionnaire (SAQ) and a Vulnerability Scan.
The SAQ is pretty straightforward. You have to log into the PCI portal and answer a series of questions on how your business processes electronic payments. The lowest number of questions is 14 and the highest is 326. The latter is mostly for the merchants that store the cardholder’s information on file at their place of business, which we strongly discourage you from doing.
The Compliance scan includes internal and external vulnerability scans. The scanner will discover weak points in your network and find the areas that need improvement. It will identify the points where your network is open to attack and provide you with valuable suggestions on what to do next.
How often do you have to do it?
You need to complete a questionnaire every 12 months. We understand that you are busy with your day-to-day tasks, so we send you a few reminders -60, 30, 15 and 1 day in advance to let you know when your PCI SAQ status is about to expire. Make sure to find time in your busy schedule to complete it.
Running a vulnerability scan is fairly simple as well. When you try to run it for the first time, the system will ask you to input your IP address and click “start”. After that, all processes run automatically. The system will perform the scan and send you a summary/review letting you know if you passed the scan. If the scan failed, the system will generate a list of failed items for you or your IT person to review. You will also receive an explanation and instructions on what to do next. After completing the initial scan, all the following scans will run automatically every 90 days. You don’t need to do anything manually as long as you keep meeting all the requirements and pass the scan successfully.
What do you do now?
Keep an eye on our PCI compliance emails and follow the instructions outlined in those emails. We do our best to make the process of becoming PCI Compliant as frictionless and as effortless as possible and we are always here to help!