PCI Compliance Questions That Every Merchant Should Ask

Your Payment Processor Needs To Be Compliant, Too

This may come as a surprise, but PCI compliance wasn’t invented just to generate paperwork for small business owners. From payment processors to resellers to Software-as-a-Service companies, every entity in the merchant account industry must comply with a specific set of PCI protocols. And just as a merchant’s careless behavior can expose a merchant services provider to a data breach, a credit card processor can endanger its merchants by neglecting to follow the proper data security guidelines.

To help you hold your credit card processor accountable, we’ve gathered the following list of PCI compliance questions that you should ask your merchant account provider. Whether you’re searching for a new merchant account or currently in the middle of a contract, these questions can help you understand what steps your processor takes to protect you from fraud and how you’ll be treated in the event of an actual breach. If your provider can answer these questions confidently and correctly, you’ll have very little to worry about when it comes to data security. If you’re dissatisfied with the responses you’re getting, then it may be time to move on.

Product Security

The following questions are related to the actual product or service you use to process payments.

Are you PCI-validated?

Here’s a simple starting point. The PCI Standards Council maintains databases of products and providers that are fully PCI compliant. You simply have to determine your provider’s business type and consult the corresponding list:

Payment processors and e-commerce hosting providers and processors are the most common category of merchant services provider. Chances are, you’re using one of these companies to process your payments. You should ask to see your provider’s PCI DSS Attestation of Compliance and check to see if your payment processor is listed on MasterCard’s List of Compliant Service Providers, Visa’s Global Registry of Service Providers, or Visa Europe’s List of Registered Member Agents.

Payment application vendors sell and support software that stores, processes or transmits cardholder data. They differ from payment processors in that they supply payment processing software, but they may not have a banking relationship that allows them to process the actual payments. A list of approved applications is found here.

Payment terminal vendors sell and support hardware that accepts payments. A list of approved devices is found here.

Software-as-a-service (SaaS) providers develop and host cloud-based web applications that process payments. As with conventional payment processors, you should ask to see a SaaS company’s PCI DSS Attestation of Compliance and check to see if the company is listed on MasterCard’s List of Compliant Service Providers, Visa’s Global Registry of Service Providers, or Visa Europe’s List of Registered Member Agents.

Qualified Integrators and Resellers (QIRs) install validated payment applications at your business’s location or website on your behalf. A list of PCI-approved QIRs can be found here.

Other providers of services that satisfy PCI DSS requirements may include firewall managers and software patching services. These companies may not be strictly involved in payment processing, but their products will still need to adhere to PCI regulations. You should ask to see such a company’s PCI DSS Attestation of Compliance and check to see if the company is listed on MasterCard’s List of Compliant Service Providers, Visa’s Global Registry of Service Providers, or Visa Europe’s List of Registered Member Agents.

If your provider is listed as PCI-validated on one of the above lists, you’re in good shape. Go ahead and jump to the Product Support section.

If your provider is not listed as PCI-validated, you have two options. You can take your business elsewhere on that basis alone, or you can ask the following questions to get a better understanding of the company’s security standards.

Does our contract require you to update your product/service to be PCI-compliant throughout the term of service?

If the answer is yes, you should verify that such language is in the contract. If the answer is no, you should probably take your business elsewhere.

Does your product/service store card information locally?

Storing cardholder data at your location is extremely high risk. If the answer is yes, ask whether the information is stored in compliance with PCI DSS protocol. If the information is not stored in compliance with PCI protocol, then you should probably take your business elsewhere. In any case, however, any system that stores cardholder information locally is less secure than a tokenized or encrypted solution.

Does your product encrypt cardholder data before transmitting it?

If the answer is no, you should probably take your business elsewhere.

Product Installation

You should only ask the following questions if your payment system is being installed on your behalf by a reseller who is NOT a PCI-approved QIR. If your reseller is PCI-approved, move on to the “Product Support” section below.

Do you offer ongoing support and guidance when it comes to installation?

If the answer is yes, you should determine how long that support is available and whether it incurs extra charges for services such as on-site installation. If the answer is no, you should probably take your business elsewhere. In any case, a reseller that provides support still may not be worth the headache of handling your own installation.

Can you tell me where cardholder data is stored in your system and how it is protected?

You should obtain a statement from your vendor that describes exactly how the product stores cardholder data so as to be in compliance with PCI regulations. If the vendor cannot explain this or is unwilling to provide such a statement in writing, you should probably take your business elsewhere.

Product Support

These questions are related to the ongoing support you will receive in order to ensure that your payment system remains compliant with ever-changing PCI DSS requirements.

Is your product/service installed on my network or systems?

If the answer is yes, ensure that the provider will provide ongoing product support, PCI-compliant software updates, security patches, and timely alerts regarding any urgent security information. If the answer is no, ask the following question:

Is your product/service stored or hosted on your network or systems?

If the answer is yes, you should ask to see the company’s PCI DSS Attestation of Compliance and check to see if the company is listed on MasterCard’s List of Compliant Service Providers, Visa’s Global Registry of Service Providers, or Visa Europe’s List of Registered Member Agents. If it is not on these lists, you should probably take your business elsewhere.

Do you require remote access to support the product?

“Remote access” refers to the ability for your provider to enter your local network via a secure connection and directly resolve support issues in your system from afar. While remote access may seem like a convenient way to fix software problems, it’s actually a common method that hackers use to gain access to otherwise secure systems.

If your provider does not require remote access to support your product, then you don’t need to worry about vulnerabilities related to remote access. If your provider does require remote access to support the product, verify that remote access does not need to be always active. If the provider requires remote access to always be active, take your business elsewhere. If the provider only requires remote access in very limited circumstances, ask the following question:

How do you secure remote access sessions with your customers?

You want to hear that your provider requires multi-factor authentication for all remote access sessions and that it uses a different username and password for all of its remote access clients. That way, if another one of the company’s customers is compromised in a remote access session, your account will not be at risk. If the provider does not offer these basic security measures, you should probably take your business elsewhere.

Does the product/service require me to integrate with other products/services such as payment terminals, accounts receivable, or other software containing cardholder data?

This setup is becoming increasingly common as tech-savvy providers try to make use of fully integrated business management systems. While it isn’t necessarily a bad thing for your payment software to connect to your other business tools, you’ll want to be absolutely certain that this arrangement adds enough value to your business to outweigh the inherent risk of linking multiple systems. If you think it’s still worth it to integrate your payment systems with other systems that contain sensitive data, you should proactively ask your provider what steps you can take to insulate your different products from each other in the event of a data breach.

Breach Protocol

Do you offer any protection in the event of a breach?

Believe it or not, there’s no industry-wide standard of fraud protection for merchants in the event of a breach. Even merchants who are fully PCI-compliant at the time of the breach will likely face fines and penalties from their provider or their provider’s acquiring bank. That’s why it’s essential for you to ask for a clear explanation of your provider’s liability and your own liability should your customers’ data be compromised.

Specifically, you should demand that they indemnify you from fines (including legal expenses) if their solution ends up being the source of the breach. Your contract should also stipulate that a third-party forensic investigator will be allowed to determine the source of the breach. This prevents the provider from pinning the blame on you even if they are at fault. If they will not commit to these basic protections, you should probably take your business elsewhere.

Are you insured against data breaches?

Payment processors are eligible to obtain insurance to protect against legal fees and bank fines following a data breach. If your provider is not insured, it will be much more likely to come after you to recover any costs stemming from a breach. In this case, you may want to consider getting your own data breach insurance, or simply find another provider.

Will you assist with notifying my customers in the event of a data breach that is your product’s fault?

Cleaning up after a large data breach can be costly and time-consuming. If you aren’t to blame for it, then your provider should be willing to help you notify consumers and handle the customer service issues that arise. Ask for a specific description of what your provider is willing to do in this case, including a list of related costs that you can expect them to cover.

Knowledge Can Protect Your Business

By asking these questions, you’ll get a feel for a product’s strengths and weaknesses when it comes to data security. You’ll also understand whether your provider is prepared to handle a data breach, and you’ll know what your own liability is if the worst happens. Most importantly, though, you’ll signal to your existing or prospective payment processor that you’re a smart shopper. After all, if you’re prepared to ask detailed questions about PCI compliance, then you’ve likely also done your homework on pricing and fees (see: Fee Sweep). Knowledge will always give you the upper hand in the credit card processing industry.

Source consulted: https://www.pcisecuritystandards.org/pdfs/Small_Merchant_Questions_to_Ask_Your_Vendors.pdf.