Identity theft is on the rise at an alarming rate. Credit card theft and the dollars lost are
staggering. In response to this trend,
the Card Brands – VISA, MasterCard, American Express and Discover – have
developed rules and regulations that require merchants to protect their
customers’ credit and debit card information.
If your business accepts credit cards or debit cards for
payment, PCI Compliance affects you. The
major Card Brands are no longer letting businesses “opt out” of this
What is PCI DSS?
Payment Card Industry Data Security Standard (PCI DSS). The acronym represents the set of
requirements designed to ensure that all companies that process, store or
transmit credit card information maintain a secure environment. The PCI Security Standards Council was
launched 9/7/06 to manage and focus on improving payment account security
throughout the transaction process.
The PCI Security Standards Council has an in-depth website
available at https://www.pcisecuritystandards.org.
How does this affect
If your business accepts credit or debit cards for payment
of merchandise and/or services, you must comply with PCI DSS. Each business must now provide proof of
compliance annually in order to continue accepting these cards. This requirement is regardless of your size
of business, the number of transactions you process, the total dollars of the
transactions you process, or how you accept payments.
What do I need to do
to prove compliance?
If your business processes card sales through United Bank
and NPC, you are automatically enrolled in the NPC Platinum Security Protection
Program. However, you must complete the
Self Assessment Questionnaire to validate your compliance of the standards. If you elect not to participate in this program,
you will be required to provide evidence of your business’s compliance from an
approved 3rd Party certified vendor.
What happens if I do
Your processor must prove your compliance to the major card brand
associations to allow you to accept their cards in your business. For United Bank customers processing through
NPC, a non-compliance fee of $19.95 per month will be charged beginning with
your October statement.
How does the NPC
Platinum Security Protection Program work?
The NPC Program is designed to provide its customers with
the certification tools needed to prove compliance. Furthermore, following the validation and
certification of your business’s payment processes, NPC will provide the
merchant with indemnification protection in the amount of $50,000 in the event
of a card data theft.
What is the cost for
The annual fee for validation is $90 for most businesses. Businesses with PC/IP and Internet Gateway processing solutions will pay $165 annually. This fee is a one-time charge reflected on your processing statement. You may elect to be charged in monthly increments.
What do I do to begin
the validation/certification process?
Business owners or managers must complete a Self-Assessment Questionnaire. You will receive notification via mail, processing statements, or email. We highly recommend that you complete the questionnaire online by visiting
www.NPCdata.net. This will make the validating process faster and more convenient. You must enter your MID (merchant identification number), your business’s tax ID and your zip code.
If this is your first visit to the secure site, you will be
asked to register a new password. Your
old password is your MID. After
resetting your password, you will select the survey applicable to your business
and proceed. The questionnaire has been
partially completed to get you started.
If you prefer, you may also complete the questionnaire by
calling 1-877-479-6649. Telephone
prompts will assist you with completing each question.
Note: To complete the
questionnaire, you should have a working knowledge of an estimate of your
annual revenue through credit card deposits.
Secondly, if you process your credit card sales through a computer or
internet connection, you should have your network administrator available to
assist you as you answer the questionnaire.
United Bank’s partner, NPC, has a dedicated department of
experienced industry experts focused on helping merchants to protect themselves
from this very real threat. If you need
assistance, you can contact the dedicated PCI team at firstname.lastname@example.org.
Our Business Services staff is also available to assist you
with the validation process. Please call
us at 770-567-7211 anytime between 8:30 and 5:30, Monday through Friday.
I’ve already paid my
$90 for the NPC Protection. Why am I
being charged a non-compliance fee?
If you did not follow through with the Self-Assessment
Questionnaire to gain certification, your process is incomplete. You must complete the questionnaire
completely in order to be validated. Go
to www.NPCdata.net or by calling
Why do the Card
Brands care about my payment processes? – I know all of my customers.
There are several types of security breaches that can affect
any type of business. An electronic breach steals vulnerable data
in transit and in storage, at the application level via a web server, websites,
unauthorized access to encryption keys, misconfigurations within the network or
malware attacks. A physical breach is a theft of documents or equipment such as
cardholder receipts, files, PCs, POS terminals, etc. Skimming
occurs when someone captures card magnetic stripe data using an external
device to create counterfeit cards. The
PCI validation process will reveal these vulnerabilities within your business.
I only accept credit
cards over the phone. Does PCI still
apply to my business?
Yes. All businesses
that accept credit or debit cards must be PCI Compliant.
What is defined as
Cardholder data is any personally identifiable data
associated with a cardholder. This
includes the account number, expiration date, name, address, social security
What is a payment
A payment application is anything that stores, processes, or
transmits card data electronically.
Examples are any Point of Sale System in a restaurant and a website
e-commerce shopping cart. Any piece of
software that has been designed to touch credit card data is considered a
What is a payment
Payment Gateways connect a merchant to the bank or processor
that is acting as the front-end.
Gateways communicate with the bank or processor using dial-up
connections, web-based connections or privately held leased lines.
Does my business need
vulnerability scanning to validate compliance?
If you electronically store cardholder data following the
authorization OR if your processing systems have any internet connectivity, a
quarterly scan by a PCI SSC approved scanning vendor is required.
What is a network
A network security scan involves an automated tool that
checks a merchant’s system for vulnerabilities.
The tool will conduct a non-intrusive scan to remotely review networks
and web applications based on Internet protocol. The scan will identify vulnerabilities in
operating systems, services and devices that could be used by hackers to target
the company’s private network.