Frequently Asked Questions

Any company with a Merchant ID (MID) that processes, stores or transmits credit card information must adhere to and comply with the PCI Data Security Standard (PCI DSS), created and updated annually by the PCI Security Council. Introduced on September 7, 2006, the Payment Card Industry Security Standards Council (PCI SSC) provides an actionable framework for developing a robust payment card data security process — including prevention, detection, and appropriate reaction to security incidents. The PCI DSS is administered and managed by the PCI SSC , which is independent of the major payment card brands (Visa, MasterCard, American Express, Discover and JCB). Card brands and acquirers are responsible for enforcing compliance, not the PCI Council.

Yes. All business that process, transmit or store credit card data must be PCI compliant.

Yes. Using VitaPay does not exclude your company from PCI compliance. It may reduce your risk exposure, and consequently reduce the effort to validate compliance, but it does not remove you from responsibility.

The PCI Security Standards Council (SSC) defines ‘cardholder data’ as the full Primary Account Number (PAN) or the full PAN along with any of the following elements:

  • Cardholder name
  • Expiration date
  • Service code
  • Sensitive Authentication Data which includes full magnetic stripe data, CAV2, CVC2, CVV2, CID, PINs, PIN blocks and more

With regards to PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five major card brands (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. A merchant can also be a service provider, if the services sold result in storing, processing or transmitting cardholder data on behalf of other merchants or service providers.

The PCI DSS considers any company that stores, processes or transmits cardholder data on behalf of another entity to be a service provider.

Payment Gateways connect a merchant to the bank or processor that is acting as the front-end connection to the card brands. Gateways route many inputs from a variety of different applications to the appropriate bank or processor. They communicate with the bank or processor using dial-up, Web-based or privately held connections.

The point-of-sale (POS) environment refers to a transaction that takes place at a merchant location (i.e., retail store, restaurant, hotel, gas station, convenience store, etc.). An Internet protocol (IP)-based POS is when transactions are stored, processed or transmitted on IP-based systems or systems communicating via TCP/IP.

Payment Application Data Security Standard (PA-DSS) is upheld by the PCI Security Standards Council (SSC) to address the critical issue of payment application security. The requirements are designed to ensure that vendors provide products to help merchants maintain PCI DSS compliance and eliminate the storage of sensitive cardholder data.The PCI SSC administers the program to validate payment applications’ compliance against the PA-DSS, and publishes and maintains a list of PA-DSS validated applications. See https://www.pcisecuritystandards.org/security_standards/pa_dss.shtml for more information.

TAccording to PCI DSS requirement 3.3, the first six and last four digits are the maximum number of digits that can be displayed. Any paper receipts stored by merchants must adhere to the PCI DSS, especially regarding physical security.

An acquiring bank may be fined by the card brands anywhere from $5,000 to $100,000 per month for PCI compliance violations. These fines are passed downstream to the merchant. In addition, your account is subject to many additional costs including lawsuits from cardholders and issuing banks, the reissuance of cards, brand damage and a required forensic investigation. Penalties are not openly discussed nor widely publicized, but they can be catastrophic to a small business. It is important to be familiar with your merchant account agreement, which should outline your exposure.