Elavon

FAQs

Please select a topic

---

PCI General Overview

• What is PCI-DSS?

  The Payment Card Industry Data Security Standards (PCI-DSS) is a set of requirements for enhancing payment account data security. These standards were developed by the PCI Security Standards Council, which was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa International to facilitate industry-wide adoption of consistent data security measures on a global basis.

• Why was PCI-DSS created?

  The PCI-DSS requirements for security management, policies, procedures, network architecture, software design and other critical protective measures is intended to proactively protect customer account data.

• I have never heard of PCI Compliance before, is this new?

  No. Merchants have been advised to take the PCI Self-Assessment Questionnaire (SAQ) to identify potential security risks in order to achieve PCI compliance for the past 3 years. The framework of the PCI data security standards is not new and has been required in different forms for some time now and continues to evolve.

• What does this mean to me and my business?

  All entities, merchants and service providers that store, process, or transmit cardholder data must meet PCI-DSS requirements. Requirements for certification vary depending on the number of transactions an entity processes, and the manner in which they are processed.

---

Certification Questions & Procedures

• Who should I contact for support in becoming PCI-DSS compliant?

  Elavon has partnered with Trustwave's TrustKeeper Service® to help you evaluate the status of your account, to assist with any necessary remediation efforts and to certify your account's PCI compliance. Please contact Elavon at www.merchantconnect.com or by phone at +1 (800) 377-3962.

• Do I have to use Trustwave TrustKeeper®?

  No. There are over 130 approved scanning vendors. You are free to choose to certify with any vendor you like. A list of approved vendors is available on the card association websites or at PCICompliance@elavon.com. If you choose to use a third party QSA/ASV you must supply proof of validation by choosing your processing method - either IP or Non-IP solutions - from the home page of this website and follow the instructions until you are prompted to supply your proof of validation. To get started click here

• What happens if I don’t get certified?

  If you do not comply with the security requirements of the card associations, you put your organization at risk of payment card compromise. In the event that your business is compromised, you may be subject to fines that range from $10,000 to $500,000 or more per incident. You will also be liable for the cost of the required forensic investigations, fraudulent purchases, and the cost of re-issuing cards. You may also lose your credit card acceptance privileges.
  
  Elavon will impose additional fees for each month that your account has not been validated as PCI compliant or in any given month your account is deemed non-compliant. You must maintain your compliant status once it is obtained in order to prevent this fee in the future.

• What am I required to do to become PCI Compliant?

  The minimum requirement for a level 4 merchant is to complete a PCI-DSS Self-Assessment Questionnaire (SAQ) on an annual basis and achieve a passing score. If you electronically store cardholder information or if your processing systems have any internet connectivity, a quarterly network vulnerability scan by an approved scanning vendor is also required.

• Which PCI Self-Assessment Questionnaire (SAQ) do I need to complete?

  The PCI Self-Assessment Questionnaire is a list of questions used to assess your compliance with the requirements of the PCI-DSS. In February of 2008, the PCI Security Standards Council released four versions of the questionnaire to account for different merchant environments.
  
  1. SAQ A: Addresses requirements applicable to merchants who have outsourced all cardholder data storage, processing and transmission.
  
  2. SAQ B: Created to address requirements pertinent to merchants who process cardholder data via imprint machines or standalone dial-up terminals only.
  3. SAQ C: Constructed to focus on requirements applicable to merchants whose payment applications systems are connected to the Internet.
  
  4. SAQ D: Designed to address requirements relevant to all service providers defined by a payment brand as eligible to complete an SAQ and those merchants who do not fall under the types addressed by SAQ A, B or C.

• What is a Quarterly Network Vulnerability Scan?

  A vulnerability scan is an automated, non-intrusive scan that assesses your network and Web applications from the Internet (on the external-facing IPs). The scan will identify any vulnerabilities or gaps that may allow an unauthorized or malicious user to gain access to your network and potentially compromise cardholder data. The scans provided by Trustwave will not require you to install any software on their systems, and no denial-of-service attacks will be performed.

• Is there an additional cost for quarterly scans?

  For merchants who require quarterly scans, any associated cost will be built into the price quoted upon enrollment with Trustwave TrustKeeper®. If additional IP addresses are added to your business between scans there may be additional costs. You should contact Trustwave or your chosen third party QSA/ASV to discuss what options are available.

• What if I fail the scan?

  If you fail the network vulnerability scan means that the scan discovered areas of vulnerability in your network of high severity. TrustKeeper will help guide you to remediate a failed scan and work toward achieving compliance. First, you’ll want to login to TrustKeeper to review the scan results. The report will provide a description of the identified issues and resources to begin fixing the problems. You’ll need to address each of the problems and then schedule a directed scan to ensure your remediation of the problem meets the PCI-DSS.

• What is a Directed Scan?

  Many times a vulnerability scan will discover vulnerabilities that need to be resolved in order to maintain compliance. Once you resolve these vulnerabilities, a directed scan can be run upon your request to verify that you have resolved any compliance issues. You may also run a directed scan after you have made changes to your network to ensure that the changes have not affected your compliance status. These are additional scans above and beyond the regular quarterly scans.

• What if I am required to upgrade my equipment or software to become compliant?

  As part of becoming PCI compliant you may be required to upgrade your equipment and/or software to a PCI-DSS certified version. You must contact your equipment and/or software vendor to discuss what options may be available and the costs associated with those options, if any. The cost associated with any equipment and/or software upgrade will not be covered by Trustwave or Elavon.

• How long is the PCI compliance certification valid?

  The length a PCI compliance certificate is valid depends on whether your business requires a questionnaire or scan. If your business only requires the annual questionnaire, PCI Certification is valid for one year. If your business requires quarterly scans, PCI Certification is valid for three months at which time your next quarterly scan will be due. If you change the manner in which you store, process or transmit cardholder data, you may increase the vulnerability of your business and must contact TrustWave or third party QSA/ASV for recertification.

• Once my business becomes PCI-DSS compliant, does that prevent a security breach from happening?

  These actions help prevent security breaches but do not provide a guarantee to your business. If and when you change the manner in which you store, process or transmit cardholder data, you may increase the vulnerability of your business. Also, similar to the regularly required updates to anti-virus and firewall software, data security is also continually subject to new threats. We encourage you to stay up to date on data security requirements.

---

Merchant already certified and currently compliant

• What if I have already performed my PCI Compliance self-assessment questionnaire (and applicable quarterly scans)?

  If you have already validated PCI Compliance for your business via another PCI Program other than Elavon's, you must supply proof of validation by choosing your processing method - either IP or Non-IP solutions - and following the instructions until you are prompted to supply your proof of validation.

• If I change the way in which my business stores, processes, or transmits cardholder data am I required to re-certify?

  If you change the manner in which you store, process or transmit cardholder data, you may increase the vulnerability of your business and must contact Trustwave or your chosen third party QSA/ASV for recertification.

• Is there an additional cost if I change the manner in which my business stores, processes or transmits cardholder data?

  Based on how you change your processing, there may be an additional charge. To determine what, if any, additional charge may be incurred contact Elavon, Trustwave or your chosen third party QSA/ASV.

• Legal Info
• Privacy Policy
• Terms of Use