PCI Compliance FAQs for Merchants
Frequently Asked Questions regarding PCI DSS compliance and your requirements. This information is primarily targeted at those merchants who use Forte Payment Systems (formally known as ACH Direct) as their merchant account provider. If you are using another provider, some of the FAQs may prove useful, but we advise you to consult with your merchant account provider (most likely the organization that sends you your monthly statement).
Whose compliance standards are these?
Payment Card Industry - Data Security Standard (PCI DSS) is a mandatory compliance initiative driven by VISA and MasterCard to govern the way merchants store, process or transmit cardholder data. One of their primary objectives is to develop a more secure system. Read more about PCI DSS here. Both Forte and Acclivity are merely complying with these standards as enforced by VISA and MasterCard, as well as Global Payments (the back-end processor for the credit card transactions).
I thought Checkout is PCI Compliant. Why do I need to become PCI Compliant?
The software you choose to process credit cards is only one aspect of achieving PCI compliance. While Checkout complies with PCI DSS guidelines, as a merchant handling card holder data you are also required to complete a Self Assessment Questionnaire and, most likely, perform quarterly network scans.
How do I become PCI Compliant?
You have three options to achieve PCI compliance:
(1) You complete and pass the Self Assessment Questionnaire (SAQ) by hand and receive the Attestation of Compliance. These forms can be found on the PCI Security Standards Council's web site. While both the Acclivity Customer Care and Forte Customer Service teams may be able to answer very basic PCI-oriented questions, neither group has the level of PCI experience or training required to give you the expertise you most likely require. In other words, completing the SAQ is often not an easy process and we're not claiming to be able to provide much help.
(2) You can find a QSA (Qualified Security Assessor) to assist you with your PCI Compliance, completing the PCI Attestation of Compliance and Quarterly Network Scans. A list of approved QSAs can be found on the PCI Council's website.
(3) Due to the complexity of becoming PCI compliant and the difficulty in navigating the different questionnaires, Forte has negotiated a special rate for Checkout customers for TrustWave's compliance assistance services. TrustWave is a trusted leader in the compliance industry.
Trustwave's TrustKeeper sevice includes:
- Assistance with completing the required Self Assessment Questionnaire and Attestation of Compliance
- Quarterly network vulnerability scans. These scans are required for those using an internet connection in order to process credit cards. The scan is completed externally without the need to install any software. The scans alone typically cost $20-40 per quarter with Quality Security Assessors
You can get started with TrustKeeper here.
How Can I Determine Which Self-Assessment Questionnaire I am required to complete?
Using TrustWave's TrustKeeper service, the assistant will step you through questions to determine what level of merchant you are and which questionnaire you are required to complete. The service then steps you through the various questions and assists you with becoming compliant.
If you are planning to complete the Self Assessment Questionnaire manually, you will need to determine which questionnaire to complete. On the PCI Security Standard Councils website, you will see the various levels of the questionnaire.
Most merchants using the latest versions of Checkout, will fall under SAQ Level 4 or 5, requiring the completion of SAQ C or D. Classification is primarily dependent on your business' computer network.
For example: if the computer processing credit cards is on the same network as other computers, you will be required to complete SAQ D, which tends to be more technical and complicated.
What are Quarterly Network Scans?
Those merchants using a computer to process credit cards through an internet connection are required to complete Quarterly Network Scans. These vulnerability scans test your network externally without the need to install software and must be completed by an Approved Scanning Vendor (such as TrustWave).
In most cases, the cost of these scans are similar in price to the TrustWave service, which also includes assistance with your Self Assessment Questionnaire. Forte has negotiated a special rate for Checkout customers for this TrustWave service.
What version of the software do I need to be using in order to be PCI compliant?
Is Checkout a PA-DSS validated payment application?
No, Checkout is not considered a payment application and, therefore, cannot be (and does not need to be) a validated payment application. Checkout uses Forte's Payment Gateway PCI compliant hosted web form. When filling out your SAQ (Self Assessment Questionnaire) or working with TrustWave or other QSA (Qualified Security Assessor), you should choose "I use a computer and a virtual terminal (aka hosted order page)".
Why don't I see Checkout in the list of payment applications in the TrustWave's TrustKeeper PCI Wizard?
Checkout is not considered a payment application because of the way it allows you to process your credit card transactions. Checkout does not store credit card numbers and when entering a credit card number, you're not actually entering the card into Checkout but into Forte's Payment Gateway web form.
When completing your SAQ (Self Assessment Questionnaire) you can select the 2nd option: "I use a computer and a virtual terminal (aka hosted order page)".
If you already selected the answer "I use a point-of-sale (POS) device... or a payment application" in the question above, when you get to the step where you would enter the name of the payment application, you can click Cancel on this step.
If you need to speak with TrustWave or another Qualified Security Assessor, remember that Checkout uses Forte's hosted payment page through their Payment Gateway/Virtual Terminal. For more information, see the FAQ regarding Tokenization and Forte's Payments Gateway Hosted web form.
I have other questions or need help filling out the SAQ (Self Assessment Questionnaire). Who can I speak to?
If you've enrolled in TrustKeeper through Forte's partnership with TrustWave, you can contact TrustWave who has been tasked with helping merchants become PCI compliant. To contact TrustWave, log into TrustKeeper and choose the Support link.
When speaking to TrustWave, they may ask which payment application you're using. They'll need to know that you are using Forte's hosted Payment Gateway.
TrustWave told me they cannot find Checkout or Forte in their list of Payment Applications?
According to PCI DSS standards, Checkout is not considered a payment application and is considered "out of scope" for PCI Compliance. Checkout does not store credit card numbers and when entering a credit card number, you're not actually entering the card into Checkout but, instead, into Forte's Payment Gateway web form.
Am I required to complete a PCI Self Assessment Questionnaire (SAQ) and a quarterly network scan?
According to Visa, Level 4 merchants "may" be required to complete an SAQ and Quarterly Scan depending on you merchant account "Acquirer". Global Payments, the processor/acquirer providing your merchant account with Forte requires all merchants, including Level 4 merchants, to complete a SAQ and Quarterly Scan.
Forte has partnered with TrustWave to assist merchants in fulfilling their PCI requirements, which includes the annual SAQ and quarterly scans. Their TrustKeeper PCI Wizard will assist you through the process. TrustWave is also available to answer questions regarding the completion of your SAQ.