RECUR360PAY - PCI Compliance - Security Metrics

11 min. readlast update: 10.17.2023

General Questions

Monthly Fee for PCI Service 

Q: Why the monthly charge for PCI Service?

A: Your software's payment solution, in partnership with Security Metrics, ensuresyour Payment Card Industry security. This involves necessary forms andvulnerability scans to safeguard card data. The fee covers these services.

Monthly Fee for PCI Non-Compliance and How to Avoid It

Q: Why the monthly fee for PCI Non-Compliance? How to avoid it?

A: The presence of a monthly fee for PCI Non-Compliance is connected to therequirements set forth by card brands like Visa, Mastercard, and others. When youpartner with your software's payment solution, the responsibility falls on us toensure that your payment processing adheres to these security standards. The feeemerges when either evidence of compliance is lacking or certain mandatedmeasures aren't in place. This fee, in turn, gets passed on to you as a merchant.To prevent incurring this fee, it's crucial to furnish the necessary proof ofcompliance through Security Metrics. This attestation demonstrates yourcommitment to meeting the required PCI standards.

Understanding PCI Participation and Requirements

Q: Why the monthly fee for PCI Non-Compliance? How to avoid it?

A: PCI, or Payment Card Industry, includes major card brands like Visa,Mastercard, Discover, American Express, and JCB. They've set up comprehensivesecurity rules, the PCI Data Security Standards (PCI DSS), to protect card info intransactions. Your participation is crucial as your software's payment solution,partnered with Fullsteam, helps gather and report compliance to these brands. Asa card data handler, annual validation of adherence is necessary. You can chooseSecurity Metrics for this, but it's not obligatory. Regardless, you need to submit anAttestation of Compliance and complete a Self-Assessment Questionnaire.Quarterly scans are essential too, finding and addressing security gaps.

Buying Security Metrics' Products for Compliance

Q: I'm being asked to buy extra products from Security Metrics to be compliant. DoI have to buy them?

A: You might be advised to buy extra products from Security Metrics forcompliance. Note that your software's payment solution, powered by Fullsteam,already covers many required PCI services: support, Self-AssessmentQuestionnaire documentation, and quarterly vulnerability scans. If specific securitycontrols are lacking, Security Metrics could offer additional products to fill thosegaps. Remember, these purchases aren't mandatory. The key is having necessarysecurity controls in place. You can achieve this through Security Metrics, your ownmethods, or other providers. 

See the table below for more products they might suggest.

Already Having a Security Metrics Account - Next Steps

Q: If I already have a Security Metrics account, what's the procedure?

A: If your Security Metrics account is established with the same credentials(Merchant Identifier, contact info), it's probable Fullsteam couldn't onboard you.Contact Fullsteam support at 801.705.5700 or support@securitymetrics.com. We'llrequest Security Metrics to shift you under our partnership for compliance datatransfer.If your account holds different boarding details, Fullsteam likely boardedyou with our info. Reach out to Fullsteam support. We'll ask Security Metrics totransfer compliance data to the new account and close the old one.

Providing Your IP Address for Security Metrics Questionnaire

Q: Security Metrics is requesting my IP address. What is that, and how can Ilocate it?

A: Your IP address functions as your computer's distinct label on the Internet,allowing communication with your systems. Security Metrics requires this toconfigure scans and bolster protection against unauthorized access. To find it,open a web browser (e.g., Internet Explorer, Chrome, Firefox) and visitwww.whatismyip.com. The page will display a sequence of four numbersseparated by periods (like ###.###.###.###). This entire set is your IP address. Amasked example is provided below.

No Response from Security Metrics Support

Q: I raised a support ticket with Security Metrics, but I haven't received anyresponse. What should I do now?

A: It's important to note that Security Metrics doesn't send confirmation upon ticketreceipt. They strive to address all tickets within 48 hours, Monday through Friday.If this period lapses without a response, contact their support line and provide yourmerchant identifier to request an update. If the situation requires escalation, get intouch with Fullsteam support. We'll directly contact Security Metrics on your behalfto elevate the matter and ensure resolution.

Having Compliance with Another Vendor

Q: I've achieved compliance through a different vendor. What's my next step?

A: After your transition to Security Metrics, confirm the active and updated statusof your Attestation of Compliance (AOC), which encompasses the Self-Assessment Questionnaire (SAQ) and scans, if applicable. Subsequently, emailsaq@securitymetrics.com, outlining the need to refresh your compliance data inthe merchant portal. Make sure to include your merchant identifier ([portfoliocompany].[company name].[number]).

Opting Out of Security Metrics Compliance Program

Q: I've chosen not to participate in the Security Metrics compliance program. Do Ineed to take any additional steps?

A: Every organization handling cardholder data is responsible for maintainingrelevant controls and validating them annually. Opting out removes the monthlyfee and disengages you from using Security Metrics' platform for annual validationdocumentation. While Fullsteam, in partnership with Security Metrics, overseescompliance monitoring and reporting, you aren't obligated to use their platform forcompleting a Self-Assessment Questionnaire (SAQ) or ASV scan.

For the SAQ, you can access the appropriate form from the PCI SSC's documentlibrary (https://www.pcisecuritystandards.org/document_library/) and populate it asneeded. If an ASV scan is required, you can choose a vendor that aligns with yourbusiness needs. Even if you've opted out, Fullsteam is still responsible forreporting each merchant's compliance status. If you've opted out, kindly send yourcompliance documents to saq@securitymetrics.com, including quarterly scans andthe annual Attestation of Compliance (AOC), if applicable. This allows us to fulfillour reporting obligations effectively.

Contacted by Another Vendor for PCI Compliance

Q: A different vendor contacted me regarding PCI compliance. How should Irespond?

A: Security Metrics is the sole authorized PCI vendor for our merchants. Avoidsharing sensitive details with other parties to safeguard your information.

Cardholder Environment Scoping Questions

Understanding Cardholder Data Processing Questions

Q: While completing my responses, I'm encountering a series of questions aboutprocessing cardholder data. Could you clarify the distinctions between them?

A: These questions are tailored to your specific cardholder data handling. Giventhe extensive 400+ questions in the full PCI DSS, not all are relevant to everyone.Responding to each helps remove irrelevant queries, expediting your responsetime. Below, you'll find the questioned area and available choices. Our guidance,indicated by a ~ in italics, accompanies each choice.

In your annual validation's initial phase, you can select up to four payment datamethods: Terminal, Computer, eCommerce, Mobile Device. You can choose morethan one method. Our guidance, marked with ~ in italics, will assist you.

Terminal

~This is referring to the type of payment terminal that you use, which usually sitsnext to your point-of-sale system machine and connected to the internet and/oryour computer system or via a phone line. Select all that apply to your interactionwith cardholder data

My terminal(s) use an Internet connection.

My Internet connection is used for multiple business purposes.

My Internet connection is only used for the terminal(s).

My terminal is connected to an analog phone line.

My terminal is wireless and connects to a cell tower.

I use an imprint machine (knuckle buster) or manually enter credit card data.

I use my acquirer's touch-tone system to process cards.

My terminal features validated P2PE(point-to-point encrypted) hardware

Computer

~This is referring to an actual computer or laptop. In these cases you will eitherhave a dedicated system that ONLY processes cardholder data, a computer thatruns an application, OR a computer that you would use to connect to an externalweb page to take payments for services and goods. 

Virtual Terminal (VT) is a method you would use if you navigate to a web browserand are presented with a method to enter card data which is virtual. If you closethe browser window or computer, the VT is gone. Note, this is different than an e-commerce.

I use a Virtual Terminal

I use a single VT for processing and have no other devices using that internetconnection

~This means that the computer which runs the VT is isolated on the networkand there is nothing else on it. If there are other devices on the SAME networkthis choice should not be used.

My VT is on a shared network with multiple computers.

~This should be selected if you have more than JUST Point of sale devicesconnected to the SAME network.

I have a USB swipe device or card reader attached to my VT.

~If you have a terminal that you use for collection of cardholder data and itfeeds the data into the VT, this should be selected as well as all otherapplicable responses.

I use a Point-of-Sale on a computer or a separate integrated-register (touch-screen) system.

My POS system batches (stores) cardholder data.

My POS system tokenizes (does not store) cardholder data.

~In both cases provided, you will need to contact your point-of-sale vendor toobtain if the point-of-sale application you use stores cardholder data, stores apayment token, or stores either. It may be possible that none of these areapplicable to your POS solution.

eCommerce

~This payment method denotes that you employ the use of a web page for takingpayments. The website is either hosted by you or a third party. 

I have an eCommerce website. 

I accept payments through my own website

My website uses Direct Post/Transparent Re-Direct.

~When a user connects to your webpage for payment, their browser is sent toa third party for processing of the payment functions

I accept payments using an I-Frame from a 3rd party source

~When a customer connects to your website for payment, their browser is stillconnected to your site, however there is an iFrames embedded into yourpayment page that accepts the cardholder data.

I accept payments through a 3rd Party Store (Amazon, Etsy, etc.)

I accept payments through a 3rd Party Link (Paypal Button, etc.)

I accept payments through a 3rd Party Re-Direct (Payment page on anotherwebsite e.g. authorize.net, sagepay.co.uk, etc.)

~The preceding 3 are unlikely used for processing of payments with Fullsteam.

Mobile Device

I process cardholder data using a smartphone or tablet. 

~This payment method is typically a device that plugs into your phone or tabletsuch as the Square solution.

The swipe equipment I have encrypts at point-of-swipe.

The swipe equipment I have does not encrypt at point-of-swipe.

Responding to the Security Metrics PCIprovided questions.

Getting Assistance with Question Responses and Your Responsibility

Q: While completing my responses, I'm encountering a series of questions aboutprocessing cardholder data. Could you clarify the distinctions between them?

A: Throughout the assessment, a series of questions will be posed, allowing youto respond with Yes, No, or Not Applicable (N/A).

Yes: Indicates compliance, confirming the control is in place.

No: Signifies non-compliance, indicating the requirement hasn't been met.

N/A: Denotes inapplicability to your organization. For instance, if certaincontrols relate to software development and you're not involved, they aren'trelevant.

Your responsibility includes answering these questions accurately based on yourorganization's situation. If you need assistance, you can refer to the providedguidance or reach out to the designated support channels.

Here's a concise breakdown of the responsibilities for each section:

Policy

Merchants: Develop and maintain policies to address all relevant PCI DSSrequirements.

Stored Data

Merchants: Provide data based on methods and processes.

Your software's payment solution: Provide data storage details to themerchant.

Transmission

Merchants: Answer questions about end user messaging protocols.

Fullsteam: Manages encryption of cardholder data during processing.

Data Access

Merchants: Responsible for access to data, unless POS provider handlesusernames and passwords.

Physical Access

Merchants: Control physical access to cardholder data environment.

Anti-virus

Merchants: Responsible for POS and computer devices, unless POS providermanages.

Stored Data

Merchants: Responsible for all stored data.

Your software's payment solution: Can provide data about POS and cardholderdata storage.

Firewall

Merchants: Set up and configure firewalls, unless POS provider handles.

Unique ID

Merchants: Responsible for usernames and account setup.

Vendor Defaults

POS Provider: Direct who changes vendor defaults.

Development

POS Provider: Advise on POS system patch management.

Merchants: Responsible for secure software development if applicable.

Testing

Merchants: Responsible for security testing.

Logging

POS Provider: Can provide logging attribute details.

Merchants: Responsible for logging, unless POS provider handles.

These responsibilities guide compliance with PCI DSS requirements.

Third Party Service Providers

Guidance on Answering Questions About Third Parties

Q: I'm required to provide details about third parties I use. Can you guide me onhow to answer these questions?

A: Toward the end of your assessment, you'll encounter questions about thirdparties involved in collecting payment card data. Our guidance is indicated by a ~in italic font to assist you in responding effectively.

Guidance for Providing Third-Party Information

Payment Gateway

~Your response should be Fullsteam.

Web Host

~If you utilize a third party to host your web-based payment application, list theirname(s) here.

Shopping Cart

~If a third party provides your shopping cart services for payment and customerinfo collection, list their name(s) here.

Co-Location

~If you use an off-site third-party location for hosting payment processing andwebsite, list their name(s) here.

Point-of-Sale Terminal

~List all types of POS terminals you use here.

Payment Application

~Specify your point-of-sale software's name here.

These details help ensure accurate representation of third-party involvement inyour payment processes.

Was this article helpful?