Compliance
With data security compromises on the rise, it is more important than
ever to ensure your business is compliant with the Payment Card Industry
Data Security Standard (PCI-DSS) and your payment application is compliant with the Payment Application Data Security Standard (PA-DSS). Learn more about how to ensure you are compliant —
and safeguard your business and your customers — here.
ENSURING YOU ARE PCI-DSS COMPLIANT
Payment Card Industry (PCI) Data Security Standards (PCI DSS) are technical
and operational requirements set by the PCI Security Standards Council to
protect cardholder data. The Council is responsible for managing the PCI DSS,
while compliance with the PCI DSS is enforced by the founding members of the
Council, American Express, Discover Financial Services, JCB International,
MasterCard Worldwide and Visa Inc.
The PCI DSS applies to all organizations that store, process or transmit
cardholder data. EVERY business that accepts card payments and
stores, processes or transmits payment card data MUST MEET the
PCI DSS.
Where to Begin
Filling out a self-assessment questionnaire (SAQ) is the best way to ensure your business is PCI compliant. The following links and the table at the bottom of this page provide you with the information you'll need to help you understand the requirements.
Links to Learning More About PCI
- PCI Overview — Find out what PCI is and why it's important for your business to become compliant. Click here.
- Decision Tree Diagram — Use this handy decision tree diagram to determine which validation type your business fits into so that you can complete the necessary compliance steps. Click here.
The chart below provides SAQs based on how your business processes credit and debit cards. Just determine which validation type you fit into, and click the letter in the last column to access the SAQ published by the Payment Card Industry Data Security Standard (PCI DSS) Council.
| SAQ V2.0 |
Description
For additional help in determining which category best describes
your business,
Click here. |
| A |
Card-not-present (e-Commerce or mail/telephone order) merchants. All cardholder data functions are outsourced. This would never apply to face-to-face merchants.
|
| B |
Imprint-only merchants with no electronic cardholder data storage or standalone, dial-out terminal merchants with no electronic cardholder data storage. |
| C-VT |
Merchants using only web-based virtual terminals, no electronic cardholder data storage. |
| C |
Merchants with payment applications connected to the internet with no electronic cardholder data storage. |
| D |
All other merchants not included in descriptions for SAQ types A through C above. |
If you need guidance, we are happy to assist you free of charge. Contact Heartland Payment Systems at 888.963.3600 or HeartlandServiceCenter@e-hps.com.
ENSURING YOUR ARE PA-DSS COMPLIANT
Visa requires you to use a payment application that adheres to the Payment Application Data Security Standard (PA-DSS), which is based on Visa’s Payment Application Best Practices (PABP). These mandates are designed to eliminate the use of non-secure payment applications that store prohibited data elements from Visa’s payment system. According to the PCI Council, “The goal of PA-DSS is to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data, and ensure payment applications support compliance with the […] PCI DSS.”
Where to Begin
- Familiarize yourself with the PA-DSS requirements and best practice tips for achieving compliance. Click here.
- To learn more about the PA-DSS, visit the PCI website. Clicking here.