PCI Compliance FAQs for Merchants
Frequently Asked Questions regarding PCI DSS compliance and your requirements. This information is primarily targeted at those merchants who use ACH Direct as their merchant account provider. If you are using another provider, some of the FAQs may prove useful, but we advise you to consult with your merchant account provider (most likely the organization that sends you your monthly statement).
For merchants using the ACH Direct Gateway and AccountEdge and upgrading from AccountEdge 2009 (and older), there is important setup information to consider when upgrading your company file.
Whose compliance standards are these?
Payment Card Industry - Data Security Standard (PCI DSS) is a mandatory compliance initiative driven by VISA and MasterCard to govern the way merchants store, process or transmit cardholder data. One of their primary objectives is to develop a more secure system. Read more about PCI DSS here. Both ACH Direct and Acclivity are merely complying with these standards as enforced by VISA and MasterCard, as well as Global Payments (the back-end processor for the credit card transactions).
I thought AccountEdge is PCI Compliant. Why do I need to become PCI Compliant?
The software you choose to process credit cards is only one aspect of achieving PCI compliance. While AccountEdge 2010 (and later) complies with PCI DSS guidelines, as a merchant handling card holder data you are also required to complete a Self Assessment Questionnaire and, most likely, perform quarterly network scans.
How do I become PCI Compliant?
You have three options to achieve PCI compliance:
(1) You complete and pass the Self Assessment Questionnaire (SAQ) by hand and receive the Attestation of Compliance. These forms can be found on the PCI Security Standards Council’s web site. While both the Acclivity Customer Care and ACH Direct Customer Service teams may be able to answer very basic PCI-oriented questions, neither group has the level of PCI experience or training required to give you the expertise you most likely require. In other words, completing the SAQ is often not an easy process and we're not claiming to be able to provide much help.
(2) You can find a QSA (Qualified Security Assessor) to assist you with your PCI Compliance, completing the PCI Attestation of Compliance and Quarterly Network Scans. A list of approved QSAs can be found on the PCI Council’s website.
(3) Due to the complexity of becoming PCI compliant and the difficulty in navigating the different questionnaires, ACH Direct has negotiated a special rate for AccountEdge and Checkout customers for TrustWave’s compliance assistance services. TrustWave is a trusted leader in the compliance industry.
Trustwave’s TrustKeeper sevice includes:
• Assistance with completing the required Self Assessment
Questionnaire and Attestation of Compliance
• Quarterly network vulnerability scans. These scans are
required for those using an internet connection in order to process
credit cards. The scan is completed externally without the need to
install any software. The scans alone typically cost $20-40 per
quarter with Quality Security Assessors
You can get started with TrustKeeper here.
How Can I Determine Which Self-Assessment Questionnaire I am required to complete?
Using TrustWave’s TrustKeeper service, the assistant will step you through questions to determine what level of merchant you are and which questionnaire you are required to complete. The service then steps you through the various questions and assists you with becoming compliant.
If you are planning to complete the Self Assessment Questionnaire manually, you will need to determine which questionnaire to complete. On the PCI Security Standard Councils website, you will see the various levels of the questionnaire.
Most merchants using the latest versions of AccountEdge and Checkout, will fall under SAQ Level 4 or 5, requiring the completion of SAQ C or D. Classification is primarily dependent on your business’ computer network.
For example: if the computer processing credit cards is on the same network as other computers, you will be required to complete SAQ D, which tends to be more technical and complicated.
What are Quarterly Network Scans?
Those merchants using a computer to process credit cards through an internet connection are required to complete Quarterly Network Scans. These vulnerability scans test your network externally without the need to install software and must be completed by an Approved Scanning Vendor (such as TrustWave).
In most cases, the cost of these scans are similar in price to the TrustWave service, which also includes assistance with your Self Assessment Questionnaire. ACH Direct has negotiated a special rate for AccountEdge and Checkout customers for this TrustWave service.
What version of the software do I need to be using in order to be PCI compliant?
AccountEdge 2010 for Mac and Windows contained changes to how credit cards are processed, changes which assist you in becoming a PCI compliant merchant. AccountEdge 2010 is required in order for you to pass your Self Assessment Questionnaire.
AccountEdge 2010 does not store credit card numbers. When entering a credit card number, you're actually not entering the card into AccountEdge but, instead, into ACH Direct’s Payment Gateway web form. Once complete, AccountEdge stores a token (an ID number that represents the credit card used) for use with future transactions. When a user processes a future payment with the same credit card, the corresponding token is used to tell ACH Direct's Payments Gateway which credit card to charge.
Is AccountEdge a PA-DSS validated payment application?
With the introduction of AccountEdge 2010, the payment processing and handling of credit card numbers is done by ACH Direct's PCI compliant Payment Gateway. AccountEdge does not store credit card numbers and when entering a credit card number, you're actually not entering the card into AccountEdge but, instead, into ACH Direct’s Payment Gateway web form. Once complete, AccountEdge stores a token (an ID number that represents the credit card used) for use with future transactions. When a user processes a future payment with the same credit card, a corresponding token is used to tell ACH Direct's Payments Gateway which credit card to charge.
So to answer the question: no, AccountEdge is not considered a payment application and, therefore, cannot be (and does not need to be) a validated payment application. AccountEdge uses ACH Direct's Payment Gateway PCI compliant hosted web form. When filling out your SAQ (Self Assessment Questionnaire) or working with TrustWave or other QSA (Qualified Security Assessor), you should choose "I use a computer and a virtual terminal (aka hosted order page)".
Why don't I see AccountEdge in the list of payment applications in the TrustWave's TrustKeeper PCI Wizard?
AccountEdge 2010 is not considered a payment application because of the way it allows you to process your credit card transactions. AccountEdge does not store credit card numbers and when entering a credit card number, you're not actually entering the card into AccountEdge but into ACH Direct’s Payment Gateway web form. Once this is done, AccountEdge stores a token (an ID number that represents the credit card used) for use with future transactions. When a user processes another payment with the same credit card, a corresponding token is used to tell ACH Direct's Payments Gateway which credit card to charge.
When completing your SAQ (Self Assessment Questionnaire) you can select the 2nd option: "I use a computer and a virtual terminal (aka hosted order page)".
If you already selected the answer "I use a point-of-sale (POS) device... or a payment application" in the question above, when you get to the step where you would enter the name of the payment application, you can click Cancel on this step.
If you need to speak with TrustWave or another Qualified Security Assessor, remember that AccountEdge uses ACH Direct’s hosted payment page through their Payment Gateway/Virtual Terminal. For more information, see the FAQ regarding Tokenization and ACH Direct’s Payments Gateway Hosted web form.
What is “Tokenization” and ACH Direct's Payment Gateway Hosted Web Form?
Tokenization is the method in which AccountEdge 2010 (and later) handles credit card processing. AccountEdge does not store credit card numbers and when entering a credit card number, you're not actually entering the card into AccountEdge but, instead, into ACH Direct’s PCI compliant Payment Gateway web form. Once completed, AccountEdge stores a token (an ID number that represents the credit card used) for use with future transactions. When a user processes a payment with the same credit card, the corresponding token is used to tell ACH Direct's Payments Gateway which credit card to charge.
I have other questions or need help filling out the SAQ (Self Assessment Questionnaire). Who can I speak to?
If you've enrolled in TrustKeeper through ACH Direct's partnership with TrustWave, you can contact TrustWave who has been tasked with helping merchants become PCI compliant. To contact TrustWave, log into TrustKeeper and choose the Support link.
When speaking to TrustWave, they may ask which payment application you're using. They'll need to know that you are using ACH Direct's hosted Payment Gateway web form and tokenization. To learn more about what this web form is and tokenization see the FAQ addressing “Is AccountEdge a PA-DSS validated payment application?”.
TrustWave told me they cannot find AccountEdge or ACH Direct in their list of Payment Applications?
According to PCI DSS standards, AccountEdge 2010 is not considered a payment application and is considered “out of scope” for PCI Compliance. AccountEdge does not store credit card numbers and when entering a credit card number, you're not actually entering the card into AccountEdge but, instead, into ACH Direct’s Payment Gateway web form. Once complete, AccountEdge stores a token (an ID number that represents the credit card used) for use with future transactions. When a user processes a payment with the same credit card, a corresponding token is used to tell ACH Direct's Payments Gateway which credit card to charge.
Am I required to complete a PCI Self Assessment Questionnaire (SAQ) and a quarterly network scan?
According to Visa, Level 4 merchants "may" be required to complete an SAQ and Quarterly Scan depending on you merchant account "Acquirer". Global Payments, the processor/acquirer providing your merchant account with ACH Direct requires all merchants, including Level 4 merchants, to complete a SAQ and Quarterly Scan.
ACH Direct has partnered with TrustWave to assist merchants in fulfilling their PCI requirements, which includes the annual SAQ and quarterly scans. Their TrustKeeper PCI Wizard will assist you through the process. TrustWave is also available to answer questions regarding the completion of your SAQ.