Complicated made simple.
Help is at Hand
If you’re taking card payments, you’re also handling sensitive financial data. Sometimes an unfortunate problem here is that your customers could become victims of fraud and you can face fines.
So each company who accepts credit or debit cards has to comply with PCI DSS (Payment Card Industry Data Security Standard). It ensures customer data is kept as secure as possible. Nothing too scary, but something to be aware of.
To become compliant, there are some forms to complete each year and if you have a wifi terminal you’ll also need to perform quarterly scans. It’s important this is done to avoid the acquiring bank charging non compliance fees each month, so please take the time to do this.
If you need any help please call our customer services team or the PCI team on 0330 808 3301 who can guide you through the process.
Frequently Asked Questions
What is PCI DSS?
The Payment Card Industry Data Security Standards (PCI DSS) is a set of requirements for enhancing payment account data security.
These standards were developed by the PCI Security Standards Council, which was founded by Visa®, MasterCard®, JCB®, Discover® and American Express® to facilitate industry-wide adoption of consistent data security measures on a global basis.
I’m a small merchant who has limited payment card transaction volume. Do I need to be compliant with PCI DSS?
Yes. All businesses – regardless of size – that store, process or transmit cardholder data must comply with the PCI DSS. The requirements apply to all acceptance channels including retail (brick-and-mortar), mail/telephone order (MOTO) and e-commerce.
Data security is vital for any business that accepts credit and debit card payments, especially for small business merchants, that make up 91% of those affected by a data breach. This is an industry-wide problem, which the PCI DSS was designed to combat. No business is without risk.
Why was PCI DSS created?
The PCI DSS requirements for security management, policies, procedures, network architecture, software design and other critical protective measures is intended to proactively protect customer account data.
I have never heard of PCI Compliance before, is this new?
No. Merchants have been advised to take the PCI Self-Assessment Questionnaire (SAQ) to identify potential security risks in order to achieve PCI compliance since 2010. The framework of the PCI Data Security standards is not new and has been required in different forms for some time now and continues to evolve.
What does this mean to me and my business?
All entities, merchants and service providers that store, process, or transmit cardholder data must meet PCI DSS requirements. Requirements for certification vary depending on the number of transactions an entity processes and the manner in which they are processed.
Who should I contact for support in becoming PCI DSS compliant?
Elavon has partnered with leading PCI DSS compliance service providers to help you evaluate the status of your account, to assist with any necessary remediation efforts and to certify your account’s PCI compliance.
If you have any queries regarding your merchant account or general PCI questions, please contact Elavon customer service at 0345 8500195 (option 2)
Do I have to use Elavon's chosen QSA provider?
No. There are many Qualified Security Assessors and Approved Scanning Vendors. You are free to choose to certify with any vendor you like. If you choose to use a third party QSA/ASV you must upload your compliance certificate via our PCI portal. Please use the tool on the right to access it.
What happens if I don’t get certified?
If you do not comply with the security requirements of the card associations, you put your organisation at risk of payment card compromise. You will also be liable for the cost of the required forensic investigations, fraudulent purchases and the cost of re-issuing cards. You may also lose your credit card acceptance privileges.
Elavon might impose additional fees for each month that your account has not been validated as PCI compliant or in any given month your account is deemed non-compliant. You must maintain your compliant status once it is obtained in order to prevent this fee in the future.
What am I required to do to become PCI Compliant?
The minimum requirement for a level 4 merchant is to complete a PCI DSS Self-Assessment Questionnaire (SAQ) on an annual basis and achieve a passing score. If you electronically store cardholder information or if your processing systems have any internet connectivity, a quarterly network vulnerability scan by an approved scanning vendor is also required.
How easy is it to complete PCI validation?
It depends how complex your card handling environment is, but on average completion takes 20 minutes.
What is a Quarterly Network Vulnerability Scan?
A vulnerability scan is an automated, non-intrusive scan that assesses your network and Web applications from the Internet (on the external-facing IPs).
The scan will identify any vulnerabilities or gaps that may allow an unauthorized or malicious user to gain access to your network and potentially compromise cardholder data. The scans will not require you to install any software on their systems, and no denial-of-service attacks will be performed.
Is there an additional cost for quarterly scans?
For merchants who require quarterly scans, any associated cost will be built into the price quoted upon in our PCI Programme. If additional IP addresses are added to your business between scans there may be additional costs.
What if I fail the scan?
If you fail the network vulnerability scan this means that the scan discovered areas of vulnerability in your network of high severity. These vulnerabilities should be remediated and another scan should be performed to ensure there are no further vulnerabilities. We will help guide you to remediate a failed scan and work toward achieving compliance.
First, you will want to login to our PCI Portal to review the scan results. The report will provide a description of the identified issues and resources to begin fixing the problems. You will need to address each of the problems and then schedule a directed scan to ensure your remediation of the problem meets the PCI DSS.
What if I am required to upgrade my equipment or software to become compliant?
As part of becoming PCI compliant you may be required to upgrade your equipment and/or software to a PCI DSS certified version.
You must contact your equipment and/or software vendor to discuss what options may be available and the costs associated with those options, if any.
The cost associated with any equipment and/or software upgrade will not be covered by Elavon.
My business has multiple locations, is each location required to certify?
If your business locations process under the same Tax ID, location address and same IP addresses you are only required to certify once for all locations.
Please contact our customer assisstance team via contact details on the PCI Portal.
If your business locations have different Tax IDs you will need to certify once per Tax ID, location address and IP address.
How long is the PCI compliance certification valid?
The length a PCI compliance certificate is valid depends on whether your business requires a questionnaire or scan.
If your business only requires the annual questionnaire, PCI Certification is valid for one year.
If your business requires quarterly scans, PCI Certification is valid for three months at which time your next quarterly scan will be due.
If you change the manner in which you store, process or transmit cardholder data, you may increase the vulnerability of your business and you must contact your PCI portal customer assistance team for re-certification.
If I change the way in which my business stores, processes or transmits cardholder data am I required to re-certify?
If you change the manner in which you store, process or transmit cardholder data, you may increase the vulnerability of your business and must contact your PCI portal customer assistance team for re-certification.
What if I have already performed my PCI Compliance self-assessment questionnaire (and applicable quarterly scans)?
If you have been PCI DSS certified within the past several months, through another approved scan vendor, please submit all of your certification documentation to us so that we know that your account is currently PCI compliant.
Please use the tool on the right to access our PCI portal and upload your PCI certificate.