PCI Compliance question

[J-Wholesale]

Quick question on PCI compliance. Does the PCI compliance process apply to a company or to a company's merchant account? If you have two separate merchant accounts, both handling transactions in different ways, would you need to go through the compliance process twice?

I ask because Trustkeeper's compliance questionnaire has room for only a single merchant account number, and its questions don't allow for different card handling processes for different accounts.

 

[Setfire]

It applies to a company (merchant). If you handle cardholder data in any way (telephone, fax, online, etc) it applies, and to all those methods. You should only need to go through the attestation process once though.

Of course, PCI-DSS is an ongoing thing in that you have to continue to operate in a way which protects your customer's cardholder data.

 

[kulture]

I suspect that you will need to be proactive to ensure that PCI compliance is notified for both merchant accounts.

 

[Mustaka]

The PCI-DSS compliance is issued to the company as a company may have many merchant accounts from many banks. However the process of securing card data should be applied to all methods a company uses to process into the variouos accounts. The company must be able to demonstrate if there is a compromise what they had in place for each merchant account.

Hope that helps.

 

[JamieM]

I had to go through the process for each of our 4 merchant accounts individually.

 

[PayVector]

I had to go through the process for each of our 4 merchant accounts individually.

Are all the MIDs owned by one company or four seperate companies. We have proably a dozen merchant accounts with various banks and we only do the process once.

Who made you do 4 seperate certifications?

 

[deniser]

Only exception seems to be if the account only has a physical terminal.

 

[J-Wholesale]

We have 2 merchant accounts. One is an online merchant account (Sterling) that we use for all website payments, and the other is not an online account and has a machine connected to a phone line that we use to process telephone orders in Euro (customer not present).

The request for PCI compliance came via the online merchant account, and if this were the only account, the process would be very straight forward, as all credit card info for this account is handled on the payment collectors website (Realex).

Strange thing is, both accounts are with the same company (Elavon), yet all communication regarding the compliance lists only the online account, as if they don't realise we have two.

 

[JamieM]

Are all the MIDs owned by one company or four seperate companies. We have proably a dozen merchant accounts with various banks and we only do the process once.

Who made you do 4 seperate certifications?

Bank of Scotland. We have MOTO, GBP, USD and EUR accounts with them. They charged us non-compliance (or whatever) on each as well.

Yeah all under one company.

 

[kulture]

PCI compliance is in effect how you protect the credit card data and ensure it is not compromised. As a company you should have a single set of comprehensive procedures etc etc that add up to PCI compliance. Thus in theory it is ONE PCI compliance per company. The devil is in the detail. If you have several merchant accounts and several different ways to process and handle credit cards, then you must ensure that your PCI compliance covers all the ways in which you process cards. You also need to ensure that each separate merchant provider/account, agrees that you are PCI compliant with your single questionaire/scan/whatever. It may simply be easier to do one per merchant account. It certainly cannot get you penalised.

 

[Green Jelly]

Do you know of anywhere online that there are templates for PCI compliance methods that can be adapted and applied for in house procedures?