Identity theft is on the rise at an alarming rate.  Credit card theft and the dollars lost are staggering.  In response to this trend, the Card Brands – VISA, MasterCard, American Express and Discover – have developed rules and regulations that require merchants to protect their customers’ credit and debit card information.

If your business accepts credit cards or debit cards for payment, PCI Compliance affects you.  The major Card Brands are no longer letting businesses “opt out” of this requirement.

What is PCI DSS?

Payment Card Industry Data Security Standard (PCI DSS).  The acronym represents the set of requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment.  The PCI Security Standards Council was launched 9/7/06 to manage and focus on improving payment account security throughout the transaction process.

The PCI Security Standards Council has an in-depth website available at https://www.pcisecuritystandards.org. 

How does this affect my business?

If your business accepts credit or debit cards for payment of merchandise and/or services, you must comply with PCI DSS.  Each business must now provide proof of compliance annually in order to continue accepting these cards.  This requirement is regardless of your size of business, the number of transactions you process, the total dollars of the transactions you process, or how you accept payments.

What do I need to do to prove compliance?

If your business processes card sales through United Bank and NPC, you are automatically enrolled in the NPC Platinum Security Protection Program.  However, you must complete the Self Assessment Questionnaire to validate your compliance of the standards.  If you elect not to participate in this program, you will be required to provide evidence of your business’s compliance from an approved 3^rd Party certified vendor.

What happens if I do not comply? 

Your processor must prove your compliance to the major card brand associations to allow you to accept their cards in your business.  For United Bank customers processing through NPC, a non-compliance fee of $19.95 per month will be charged beginning with your October statement. 

How does the NPC Platinum Security Protection Program work?

The NPC Program is designed to provide its customers with the certification tools needed to prove compliance.  Furthermore, following the validation and certification of your business’s payment processes, NPC will provide the merchant with indemnification protection in the amount of $50,000 in the event of a card data theft.

What is the cost for this service?

The annual fee for validation is $90 for most businesses. Businesses with PC/IP and Internet Gateway processing solutions will pay $165 annually. This fee is a one-time charge reflected on your processing statement. You may elect to be charged in monthly increments.

What do I do to begin the validation/certification process?

Business owners or managers must complete a Self-Assessment Questionnaire. You will receive notification via mail, processing statements, or email. We highly recommend that you complete the questionnaire online by visiting www.NPCdata.net. This will make the validating process faster and more convenient. You must enter your MID (merchant identification number), your business’s tax ID and your zip code.

If this is your first visit to the secure site, you will be asked to register a new password.  Your old password is your MID.  After resetting your password, you will select the survey applicable to your business and proceed.  The questionnaire has been partially completed to get you started.

If you prefer, you may also complete the questionnaire by calling 1-877-479-6649.  Telephone prompts will assist you with completing each question.

Note:  To complete the questionnaire, you should have a working knowledge of an estimate of your annual revenue through credit card deposits.  Secondly, if you process your credit card sales through a computer or internet connection, you should have your network administrator available to assist you as you answer the questionnaire.

United Bank’s partner, NPC, has a dedicated department of experienced industry experts focused on helping merchants to protect themselves from this very real threat.  If you need assistance, you can contact the dedicated PCI team at pcicompliance@npc.net.

Our Business Services staff is also available to assist you with the validation process.  Please call us at 770-567-7211 anytime between 8:30 and 5:30, Monday through Friday.

I’ve already paid my $90 for the NPC Protection.  Why am I being charged a non-compliance fee?

If you did not follow through with the Self-Assessment Questionnaire to gain certification, your process is incomplete.  You must complete the questionnaire completely in order to be validated.  Go to www.NPCdata.net or by calling 1-877-479-6649.

Why do the Card Brands care about my payment processes? – I know all of my customers.

There are several types of security breaches that can affect any type of business.  An electronic breach steals vulnerable data in transit and in storage, at the application level via a web server, websites, unauthorized access to encryption keys, misconfigurations within the network or malware attacks.  A physical breach is a theft of documents or equipment such as cardholder receipts, files, PCs, POS terminals, etc.  Skimming occurs when someone captures card magnetic stripe data using an external device to create counterfeit cards.  The PCI validation process will reveal these vulnerabilities within your business.

I only accept credit cards over the phone.  Does PCI still apply to my business?

Yes.  All businesses that accept credit or debit cards must be PCI Compliant.

What is defined as ‘cardholder data’?

Cardholder data is any personally identifiable data associated with a cardholder.  This includes the account number, expiration date, name, address, social security number, etc. 

What is a payment application?

A payment application is anything that stores, processes, or transmits card data electronically.  Examples are any Point of Sale System in a restaurant and a website e-commerce shopping cart.  Any piece of software that has been designed to touch credit card data is considered a payment application.

What is a payment gateway?

Payment Gateways connect a merchant to the bank or processor that is acting as the front-end.  Gateways communicate with the bank or processor using dial-up connections, web-based connections or privately held leased lines.

Does my business need vulnerability scanning to validate compliance?

If you electronically store cardholder data following the authorization OR if your processing systems have any internet connectivity, a quarterly scan by a PCI SSC approved scanning vendor is required.

What is a network security scan?

A network security scan involves an automated tool that checks a merchant’s system for vulnerabilities.  The tool will conduct a non-intrusive scan to remotely review networks and web applications based on Internet protocol.  The scan will identify vulnerabilities in operating systems, services and devices that could be used by hackers to target the company’s private network.