The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements for improving payment account data security.
It was developed by the PCI Security Standards Council (PCI SSC) founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.
It promotes consistent global data security measures. The standard aims to raise awareness and encourage best practices for handling sensitive information to reduce identity theft and fraud. Click here to learn more from CardConnect (Fiserv).
Any business that accepts online payments must complete a PCI DSS Compliance assessment each year to verify that they're following secure practices to protect their customers' sensitive card data. By using a PCI DSS Compliant integration in Docket (DocketPay), we are able to verify the majority of security concerns on your behalf.
However, as with any secure system, there are things that our integration and software cannot handle on your behalf, like filling out your self-assessment questionnaire. That assessment needs to be competed every year and should only take you 10 minutes to complete.
We've created this guide to help you work through the PCI Compliance process. If you'd rather look at the full slide deck on its own instead of the slide-by-slide breakdown below, please click here.
Please Note: This guide will show/suggest example answers that are required to be PCI Compliant, but you should only use these example answers if they apply to your business and its practices.
Before You Start
Here are a few things to know before you continue:
- Your business owner should fill out the PCI DSS Compliance assessment.
- You must register for CardPointe's (Fiserv's) PCI Manager before you can log in to take the assessment. (Instructions are below.)
- Our Support team cannot troubleshoot issues you may experience while registering for/using CardPointe's (Fiserv's) PCI Manager. Please reach out to the Cardpointe (Fiserv) team via 1-877-257-0239 or ccsupport@securetrust.com for help.
Why PCI DSS Compliance is Important
Any business that accepts online payments must complete a PCI DSS Compliance assessment each year to verify that they're following secure practices to protect their customers' sensitive card data.
This helps to:
- Protect cardholder data.
- Prevent data breaches.
- Reduce fraud and identity theft.
- Meet legal and regulatory requirements.
If your business is found to be non-compliant, you could be fined significantly for the duration of your non-compliance.
Steps to PCI DSS Compliance
There are 5 steps to ensure your business is compliant and observing the 12 PCI DSS Requirements each year.
Each of the 5 steps is listed below with all of their related links. If you'd rather look at the full slide deck on its own and use the links from there, please click here.
1) Log Into CardPointe's (Fiserv's) PCI Manager
You may have received an email from CardPointe (Fiserv) that asks you to log into their PCI Manager to complete the PCI DSS compliance process.
CardPointe (Fiserv) sends an email to its users as they near their annual compliance renewal, so if you haven't gotten that yet, you will when it's time for you to renew your compliance.
Click here to go to CardPointe's (Fiserv's) PCI Manager and Register or Log In.
If this is the first time you're logging into CardPointe's (Fiserv's) PCI Manager, you'll first need to click "Register" and create a profile. Then you'll be able to log in on the home page.
If you've already created a profile, you can log in using your previously created Username and Password. Use the "Forgot Password" link to reset your password, if needed.
2) Confirm Your Business Profile
After you're logged into CardPointe's (Fiserv's) PCI Manager, you'll land on the home page.
Find the card titled 'Your Business Profile' and click the "Manage" button on it.
After you click "Manage" from the Your Business Profile card, you'll need to click "Re-profile" from the prompt that appears next.
The latest information for this year's PCI DSS will appear and you'll need to click "I Understand" to accept the terms.
You'll then be asked a series of questions about your business to confirm what type of Self-Assessment Questionnaire (SAQ) you'll need to fill out.
Please Note: You'll be given a couple of assessment methods at this point and we strongly suggest choosing the "Guide Me" option.
3) Qualify for SAQ A (Self-Assessment Questionnaire - Version "A")
The first question asks you "What Are The Ways You Accept Credit Cards?"
It's very important to only select Website Payments as your answer. Since Fiserv is an online payment processing system, all transactions are considered eCommerce (online) payments even if you take a payment over the phone or in person.
The second question asks you "Does your business store any sensitive credit card data electronically?"
You'll want to select the "None of the above" answer because the other options don't apply to your business.
Please Note: Even though you save card information in your Docket account, Fiserv is actually storing the information, not you or us.
The third question asks you about other Service Providers and Acquirers. Because DocketPay is only connected to Fiserv, you can select 'No' for both questions that appear.
The fourth question asks you to enter your business website URL(s).
The fifth question asks you for a brief summary of how and where you handle card payments. Some example answers are in the slide above. (Using your mouse or trackpad, right-click on the image above and click 'open image in new tab' to see a bigger version of the slide.)
After you've submitted your answers, you'll see the home page again and it's time to complete the next step.
4) Pass the Security Assessment
If your business qualifies for the SAQ A (Self-Assessment Questionnaire - Version "A"), you'll see that displayed on the 'Your Business Profile' card and you'll only have to complete 5 self-assessment questions.
TIP: If you don't see "SAQ A" displayed on the 'Your Business Profile' card and/or there are more than 5 Unanswered Questions displayed on the 'Complete Security Assessment' card, please repeat Steps 2 and 3 above. You can also reach out to the Cardpointe (Fiserv) team via 1-877-257-0239 or ccsupport@securetrust.com for help.
To complete the self-assessment, click on "Begin Step" from the 'Your Next Step' banner at the top of your home page.
The first question asks you about the Management of System Components. Click "Yes" to confirm that you change any default passwords created for you.
The second question asks you about Group Authentication Credentials. Click "Yes" to confirm that you don't use shared logins and/or only use them in exceptional circumstances while documenting your reason(s) for doing so.
The third question asks you about Access for Terminated Users. Click "Yes" to confirm that you immediately revoke access for terminated employees.
The fourth question asks about Changing Password Ever 90 Days. Click "Yes" to confirm that you regularly update your passwords.
The fifth question asks about Hard-Copy Materials. Click "Yes" to confirm that you destroy hard copies of card information when they're no longer needed for business or legal purposes and that they're securely stored while still needed.
After you've filled out all the necessary fields, click the "Confirm Your Attestation" button to submit the questionnaire.
Back on your home page you should see confirmation that you're compliant with this year's PCI DSS.
5) Save Your Login Information
PCI DSS compliance is only good for one year and you'll need to log back into CardPointe's (Fiserv's) PCI Manager to do this again each year.
Because of this, we strongly recommend saving your login information somewhere secure if you haven't already. Doing so will make this yearly process much smoother for you in the future!
If you have any questions, please reach out to our Support team through the chat widget on the bottom right of this page or by sending an email to support@yourdocket.com!