card payment options logo
  • Compare Merchant Services
    • E-Commerce Credit Card Processing
    • Restaurant Point-of-Sale
    • Healthcare Merchant Accounts
    • High-Risk Merchant Services
    • More…
  • Reveal Your Hidden Fees
  • Merchant Account Reviews
Menu
  • Compare Merchant Services
    • E-Commerce Credit Card Processing
    • Restaurant Point-of-Sale
    • Healthcare Merchant Accounts
    • High-Risk Merchant Services
    • More…
  • Reveal Your Hidden Fees
  • Merchant Account Reviews
card payment options logo
  • Compare Merchant Services
    • E-Commerce Credit Card Processing
    • Restaurant Point-of-Sale
    • Healthcare Merchant Accounts
    • High-Risk Merchant Services
    • More…
  • Reveal Your Hidden Fees
  • Merchant Account Reviews
Menu
  • Compare Merchant Services
    • E-Commerce Credit Card Processing
    • Restaurant Point-of-Sale
    • Healthcare Merchant Accounts
    • High-Risk Merchant Services
    • More…
  • Reveal Your Hidden Fees
  • Merchant Account Reviews
Search
Search

Reveal Your Hidden Fees Now

PCI Compliance Questions That Every Merchant Should Ask

  • Phillip Parker
  • Credit Card Processing
  • February 10, 2017
  • No Comments
FTC & Advertising Disclosure

We take great pride in providing one of the only objective an unbiased merchant account review websites on the internet. To support this enormous responsibility we earn some of our revenue through affiliate fees and advertising. These revenues in no way influence our ratings or reviews. Learn more about our monetization policies here. 

Our Top Pick of 2022

helcim logo

Helcim Payments

See Our Helcim Merchant Services Review
  • No Monthly or Annual Fees
  • Super Low Processing Rates
  • POS, Mobile, and Online Payments
View Pricing
Sales & Support:
(888) 506-7812
★ ★ ★ ★ ★

Your Payment Processor Needs To Be Compliant, Too

This may come as a surprise, but PCI compliance wasn’t invented just to generate paperwork for small business owners. From payment processors to resellers to Software-as-a-Service companies, every entity in the merchant account industry must comply with a specific set of PCI protocols. And just as a merchant’s careless behavior can expose a merchant services provider to a data breach, a credit card processor can endanger its merchants by neglecting to follow the proper data security guidelines.

To help you hold your credit card processor accountable, we’ve gathered the following list of PCI compliance questions that you should ask your merchant account provider. Whether you’re searching for a new merchant account or currently in the middle of a contract, these questions can help you understand what steps your processor takes to protect you from fraud and how you’ll be treated in the event of an actual breach. If your provider can answer these questions confidently and correctly, you’ll have very little to worry about when it comes to data security. If you’re dissatisfied with the responses you’re getting, then it may be time to move on.

 

Product Security

The following questions are related to the actual product or service you use to process payments.

Are you PCI-validated?

Here’s a simple starting point. The PCI Standards Council maintains databases of products and providers that are fully PCI compliant. You simply have to determine your provider’s business type and consult the corresponding list:

Payment processors and e-commerce hosting providers and processors are the most common category of merchant services provider. Chances are, you’re using one of these companies to process your payments. You should ask to see your provider’s PCI DSS Attestation of Compliance and check to see if your payment processor is listed on MasterCard’s List of Compliant Service Providers, Visa’s Global Registry of Service Providers, or Visa Europe’s List of Registered Member Agents.

Payment application vendors sell and support software that stores, processes or transmits cardholder data. They differ from payment processors in that they supply payment processing software, but they may not have a banking relationship that allows them to process the actual payments. A list of approved applications is found here.

Payment terminal vendors sell and support hardware that accepts payments. A list of approved devices is found here.

Software-as-a-service (SaaS) providers develop and host cloud-based web applications that process payments. As with conventional payment processors, you should ask to see a SaaS company’s PCI DSS Attestation of Compliance and check to see if the company is listed on MasterCard’s List of Compliant Service Providers, Visa’s Global Registry of Service Providers, or Visa Europe’s List of Registered Member Agents.

Qualified Integrators and Resellers (QIRs) install validated payment applications at your business’s location or website on your behalf. A list of PCI-approved QIRs can be found here.

Other providers of services that satisfy PCI DSS requirements may include firewall managers and software patching services. These companies may not be strictly involved in payment processing, but their products will still need to adhere to PCI regulations. You should ask to see such a company’s PCI DSS Attestation of Compliance and check to see if the company is listed on MasterCard’s List of Compliant Service Providers, Visa’s Global Registry of Service Providers, or Visa Europe’s List of Registered Member Agents.

If your provider is listed as PCI-validated on one of the above lists, you’re in good shape. Go ahead and jump to the Product Support section.

If your provider is not listed as PCI-validated, you have two options. You can take your business elsewhere on that basis alone, or you can ask the following questions to get a better understanding of the company’s security standards.

Does our contract require you to update your product/service to be PCI-compliant throughout the term of service?

If the answer is yes, you should verify that such language is in the contract. If the answer is no, you should probably take your business elsewhere.

Does your product/service store card information locally?

Storing cardholder data at your location is extremely high risk. If the answer is yes, ask whether the information is stored in compliance with PCI DSS protocol. If the information is not stored in compliance with PCI protocol, then you should probably take your business elsewhere. In any case, however, any system that stores cardholder information locally is less secure than a tokenized or encrypted solution.

Does your product encrypt cardholder data before transmitting it?

If the answer is no, you should probably take your business elsewhere.

 

Product Installation

You should only ask the following questions if your payment system is being installed on your behalf by a reseller who is NOT a PCI-approved QIR. If your reseller is PCI-approved, move on to the “Product Support” section below.

Do you offer ongoing support and guidance when it comes to installation?

If the answer is yes, you should determine how long that support is available and whether it incurs extra charges for services such as on-site installation. If the answer is no, you should probably take your business elsewhere. In any case, a reseller that provides support still may not be worth the headache of handling your own installation.

Can you tell me where cardholder data is stored in your system and how it is protected?

You should obtain a statement from your vendor that describes exactly how the product stores cardholder data so as to be in compliance with PCI regulations. If the vendor cannot explain this or is unwilling to provide such a statement in writing, you should probably take your business elsewhere.

 

Product Support

These questions are related to the ongoing support you will receive in order to ensure that your payment system remains compliant with ever-changing PCI DSS requirements.

Is your product/service installed on my network or systems?

If the answer is yes, ensure that the provider will provide ongoing product support, PCI-compliant software updates, security patches, and timely alerts regarding any urgent security information. If the answer is no, ask the following question:

Is your product/service stored or hosted on your network or systems?

If the answer is yes, you should ask to see the company’s PCI DSS Attestation of Compliance and check to see if the company is listed on MasterCard’s List of Compliant Service Providers, Visa’s Global Registry of Service Providers, or Visa Europe’s List of Registered Member Agents. If it is not on these lists, you should probably take your business elsewhere.

Do you require remote access to support the product?

“Remote access” refers to the ability for your provider to enter your local network via a secure connection and directly resolve support issues in your system from afar. While remote access may seem like a convenient way to fix software problems, it’s actually a common method that hackers use to gain access to otherwise secure systems.

If your provider does not require remote access to support your product, then you don’t need to worry about vulnerabilities related to remote access. If your provider does require remote access to support the product, verify that remote access does not need to be always active. If the provider requires remote access to always be active, take your business elsewhere. If the provider only requires remote access in very limited circumstances, ask the following question:

How do you secure remote access sessions with your customers?

You want to hear that your provider requires multi-factor authentication for all remote access sessions and that it uses a different username and password for all of its remote access clients. That way, if another one of the company’s customers is compromised in a remote access session, your account will not be at risk. If the provider does not offer these basic security measures, you should probably take your business elsewhere.

Does the product/service require me to integrate with other products/services such as payment terminals, accounts receivable, or other software containing cardholder data?

This setup is becoming increasingly common as tech-savvy providers try to make use of fully integrated business management systems. While it isn’t necessarily a bad thing for your payment software to connect to your other business tools, you’ll want to be absolutely certain that this arrangement adds enough value to your business to outweigh the inherent risk of linking multiple systems. If you think it’s still worth it to integrate your payment systems with other systems that contain sensitive data, you should proactively ask your provider what steps you can take to insulate your different products from each other in the event of a data breach.

 

Breach Protocol

Do you offer any protection in the event of a breach?

Believe it or not, there’s no industry-wide standard of fraud protection for merchants in the event of a breach. Even merchants who are fully PCI-compliant at the time of the breach will likely face fines and penalties from their provider or their provider’s acquiring bank. That’s why it’s essential for you to ask for a clear explanation of your provider’s liability and your own liability should your customers’ data be compromised.

Specifically, you should demand that they indemnify you from fines (including legal expenses) if their solution ends up being the source of the breach. Your contract should also stipulate that a third-party forensic investigator will be allowed to determine the source of the breach. This prevents the provider from pinning the blame on you even if they are at fault. If they will not commit to these basic protections, you should probably take your business elsewhere.

Are you insured against data breaches?

Payment processors are eligible to obtain insurance to protect against legal fees and bank fines following a data breach. If your provider is not insured, it will be much more likely to come after you to recover any costs stemming from a breach. In this case, you may want to consider getting your own data breach insurance, or simply find another provider.

Will you assist with notifying my customers in the event of a data breach that is your product’s fault?

Cleaning up after a large data breach can be costly and time-consuming. If you aren’t to blame for it, then your provider should be willing to help you notify consumers and handle the customer service issues that arise. Ask for a specific description of what your provider is willing to do in this case, including a list of related costs that you can expect them to cover.

 

Knowledge Can Protect Your Business

By asking these questions, you’ll get a feel for a product’s strengths and weaknesses when it comes to data security. You’ll also understand whether your provider is prepared to handle a data breach, and you’ll know what your own liability is if the worst happens. Most importantly, though, you’ll signal to your existing or prospective payment processor that you’re a smart shopper. After all, if you’re prepared to ask detailed questions about PCI compliance, then you’ve likely also done your homework on pricing and fees (see: Fee Sweep). Knowledge will always give you the upper hand in the credit card processing industry.

Source consulted: https://www.pcisecuritystandards.org/pdfs/Small_Merchant_Questions_to_Ask_Your_Vendors.pdf.

phillip-parker-cpo-blue-mobile

Follow Phillip

Linkedin Twitter Instagram Facebook

About The Author

Phillip Parker is a Payments Industry Analyst and creator of this blog, CardPaymentOptions.com. Phillip is passionate about researching merchant service providers and payment industry trends. He is often quoted as an expert source in national publications such as INC Magazine, The Los Angeles Times, Entrepreneur, and many others.

“I started this blog because I was disgusted by the business practices of the merchant services industry. I wanted to empower business owners by providing insight on how to avoid shady merchant account providers and costly credit card processing mistakes.” 

Phillip’s Processor Comparisons

Picking a credit card processor can be a headache, but we’ve made it easy. Phillip recommends comparing the best merchant services providers we’ve researched.

Audit Your Merchant Account

When was the last time you had your rates audited by someone who wasn’t also trying to sell you credit card processing services? We support this website by helping business owners understand how to cut their processing costs, either with a new processor or their current one. Learn more.

QuickBooks Accounting Logo

How To Sync Payments With QuickBooks

The following merchant services providers offer either direct or indirect integration. Providers with direct integration offer solutions like payment gateways, plugins, or APIs that seamlessly transfer your transaction details and payment history from your merchant account to QuickBooks. Providers with indirect integration…

Read more >>>

analyzing data

Before You Switch,
Audit Your Costs

Before you switch processors, audit your current processing costs to ensure that you save the most you can possibly save in fees.

Learn How >>>

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Copyright

Copyright © CardPaymentOptions.com, Inc. (Digital Fingerprint: 0d38c6720f0d78a701b74d58653af608). Getting paid to re-write this page? Click here to earn a reward.

Any unauthorized copying and reproduction of the content of this page, including all meta data and computer code, is strictly prohibited. While the information in the above article is believed to be accurate as of its publish date, the author and publisher make no representation or warranties with respect to the accuracy, applicability, fitness, or completeness of the contents. The author and publisher shall in no event be held liable to any party for any direct, indirect, punitive, special, incidental or other consequential damages arising directly or indirectly from any use of this material, which is provided “as is,” and without warranties. Any and all use of trade names and/or marks are for identification purposes only and shall not be construed as a claim of affiliation, or otherwise, with CardPaymentOptions.com, Inc. ("CPO") in any form. The sole purpose of the material presented herein is to alert, educate, and inform readers. It is not intended as legal or financial advice. We may earn revenue if you obtain services from a provider that we recommend. See this page to learn how we support our operations.

  • Merchant Account Reviews
  • How We Assign Ratings
  • Request a Correction
  • Complaint Mediation Programs
  • Press Inquiries
  • Merchant Account Reviews
  • How We Assign Ratings
  • Request a Correction
  • Complaint Mediation Programs
  • Our Policies & TOUs
  • About
  • Contact
Menu
  • Our Policies & TOUs
  • About
  • Contact
Facebook Instagram Twitter Linkedin Reddit
© Copyright 2009 - 2022 CardPaymentOptions.com, Inc. All Rights Reserved.

This website uses cookies to ensure you get the best experience. No personal information is collected unless you fill out a form and submit it or call a number listed on one of our pages. We never share or sell your information without your consent. If you do not wish to proceed, please exit the website at this time.

Accept & CLose