PCI Compliance FAQs for Merchants

Background
Whose compliance standards are these?
I thought AccountEdge is PCI Compliant. Why do I need to become PCI Compliant?
How do I become PCI Compliant?
How Can I Determine Which Self-Assessment Questionnaire I am required to complete?
What are Quarterly Network Scans?
What version of the software do I need to be using in order to be PCI compliant?
Is AccountEdge a PA-DSS validated payment application?
What is "Tokenization" and Forte's Payment Gateway Hosted Web Form?
Am I required to complete a PCI Self Assessment Questionnaire (SAQ) and a quarterly network scan?

Background

This article focuses on PCI DSS compliance and your requirements as a merchant. This information is primarily targeted at those merchants who use Forte Payment Systems (formally known as ACH Direct) as their merchant account provider. If you are using another provider, some of the FAQs may prove useful, but we advise you to consult with your merchant account provider (most likely the organization that sends you your monthly statement).

For merchants using the Forte Gateway and AccountEdge and upgrading from AccountEdge 2009 (and older), there is important setup information to consider when upgrading your company file.

Whose compliance standards are these?

Payment Card Industry - Data Security Standard (PCI DSS) is a mandatory compliance initiative driven by VISA and MasterCard to govern the way merchants store, process or transmit cardholder data. One of their primary objectives is to develop a more secure system. Read more about PCI DSS here. Both Forte and Acclivity are merely complying with these standards as enforced by VISA and MasterCard, as well as Global Payments (the back-end processor for the credit card transactions).

I thought AccountEdge is PCI Compliant. Why do I need to become PCI Compliant?

The software you choose to process credit cards is only one aspect of achieving PCI compliance. While AccountEdge Pro complies with PCI DSS guidelines, as a merchant handling card holder data you are also required to complete a Self Assessment Questionnaire and, most likely, perform quarterly network scans.

How do I become PCI Compliant?

You have three options to achieve PCI compliance:

  1. You complete and pass the Self Assessment Questionnaire (SAQ) by hand and receive the Attestation of Compliance. These forms can be found on the PCI Security Standards Council's web site. While both the Acclivity Customer Care and Forte Customer Service teams may be able to answer very basic PCI-oriented questions, neither group has the level of PCI experience or training required to give you the expertise you most likely require. In other words, completing the SAQ is often not an easy process and we're not claiming to be able to provide much help.
  2. You can find a QSA (Qualified Security Assessor) to assist you with your PCI Compliance, completing the PCI Attestation of Compliance and Quarterly Network Scans. A list of approved QSAs can be found on the PCI Council's website.
  3. Due to the complexity of becoming PCI compliant and the difficulty in navigating the different questionnaires, Forte has negotiated a special rate for AccountEdge and Checkout customers for Aperia PCI management system's compliance services.

How Can I Determine Which Self-Assessment Questionnaire I am required to complete?

If you are planning to complete the Self Assessment Questionnaire manually, you will need to determine which questionnaire to complete. On the PCI Security Standard Councils website, you will see the various levels of the questionnaire.

Most merchants using the latest versions of AccountEdge and Checkout, will fall under SAQ Level 4 or 5, requiring the completion of SAQ C or D. Classification is primarily dependent on your business' computer network.

For example: if the computer processing credit cards is on the same network as other computers, you will be required to complete SAQ D, which tends to be more technical and complicated.

What are Quarterly Network Scans?

Those merchants using a computer to process credit cards through an internet connection are required to complete Quarterly Network Scans. These vulnerability scans test your network externally without the need to install software and must be completed by an Approved Scanning Vendor (such as Aperia).

In most cases, the cost of these scans are similar in price to the Aperia service, which also includes assistance with your Self Assessment Questionnaire. Forte has negotiated a special rate for AccountEdge and Checkout customers for this service.

What version of the software do I need to be using in order to be PCI compliant?

AccountEdge Pro for Mac and Windows contained changes to how credit cards are processed, changes which assist you in becoming a PCI compliant merchant. AccountEdge Pro is required in order for you to pass your Self Assessment Questionnaire.

AccountEdge Pro does not store credit card numbers. When entering a credit card number, you're actually not entering the card into AccountEdge but, instead, into Forte's Payment Gateway web form. Once complete, AccountEdge stores a token (an ID number that represents the credit card used) for use with future transactions. When a user processes a future payment with the same credit card, the corresponding token is used to tell Forte's Payments Gateway which credit card to charge.

Is AccountEdge a PA-DSS validated payment application?

With the introduction of AccountEdge Pro, the payment processing and handling of credit card numbers is done by Forte's PCI compliant Payment Gateway. AccountEdge does not store credit card numbers and when entering a credit card number, you're actually not entering the card into AccountEdge but, instead, into Forte's Payment Gateway web form. Once complete, AccountEdge stores a token (an ID number that represents the credit card used) for use with future transactions. When a user processes a future payment with the same credit card, a corresponding token is used to tell Forte's Payments Gateway which credit card to charge.

So to answer the question: no, AccountEdge is not considered a payment application and, therefore, cannot be (and does not need to be) a validated payment application. AccountEdge uses Forte's Payment Gateway PCI compliant hosted web form. When filling out your SAQ (Self Assessment Questionnaire) or working with Aperia or other QSA (Qualified Security Assessor), you should choose "I use a computer and a virtual terminal (aka hosted order page)".

What is "Tokenization" and Forte's Payment Gateway Hosted Web Form?

Tokenization is the method in which AccountEdge Pro handles credit card processing. AccountEdge does not store credit card numbers and when entering a credit card number, you're not actually entering the card into AccountEdge but, instead, into Forte's PCI compliant Payment Gateway web form. Once completed, AccountEdge stores a token (an ID number that represents the credit card used) for use with future transactions. When a user processes a payment with the same credit card, the corresponding token is used to tell Forte's Payments Gateway which credit card to charge.

Am I required to complete a PCI Self Assessment Questionnaire (SAQ) and a quarterly network scan?

According to Visa, Level 4 merchants "may" be required to complete an SAQ and Quarterly Scan depending on you merchant account "Acquirer". Global Payments, the processor/acquirer providing your merchant account with Forte requires all merchants, including Level 4 merchants, to complete a SAQ and Quarterly Scan.

Forte has partnered with Aperia to assist merchants in fulfilling their PCI requirements, which includes the annual SAQ and quarterly scans.