PCI DSS COMPLIANCE

BestMerchantRates.com Statement Concerning
PCI DSS:

We realize that in a tough economic climate, it is very difficult to pass on more fees to our valued customers.  However, we believe that if you understand what is at stake and the risk involved if you fail PCI DSS compliance, you’ll see the value in paying a reasonable cost for this service. 

The Major Card brands (MasterCard Worldwide, Visa, American Express, and Discover) have mandated that all merchants who store, transmit or process cardholder information must maintain compliance with the PCI DSS (Payment Card Industry and Data Security Standards).  In order to ensure compliance and avoid costly fines to merchants, your processing bank has established a relationship with SecurityMetrics- a leading provider of PCI audit and scan services.  In short, they will help you stay compliant with all the security standards.  Security Metrics will be contacting you to begin analysis of your merchant account and guide you through the completion of you PCI DSS self-assessment questionnaire. If you should have further questions about this program, Security Metrics can be reached online at www.securitymetrics.com or toll free at 800-557-4684 for further assistance.

BUT OTHER MERCHANT SERVICES PROVIDERS ARE OFFERING PCI DSS COMPLIANCE FOR FREE!

Many customers have informed us that they are able to receive these PCI DSS Compliance Services for FREE from other merchant services providers.  A word of caution!  We’ve said it from day one in this industry: “There is no free lunch!”  Our mission is to provide The Best Merchant Rates for everyone, not just the big companies doing hundreds of thousands of dollars in sales per month.  What the other guys won’t tell you is that they can waive your PCI DSS fee because they’ll make it up (and then some) in the rates and other hidden fees.  So we respectfully ask you to consider the following question: Would you rather have rock bottom rates and save money every day, or would you rather have a free one-time PCI DSS fee?  The choice is yours.  And we thank all of our loyal customers who have remained with BestMerchantRates.com over the years for supporting our efforts to give Large Corporate Pricing® to Everyone!

WHY SHOULD YOU CARE ABOUT THE IMPORTANCE OF PCI DSS COMPLIANCE?

A major court ruling in the past year drives home the importance of this issue and why you should be concerned.  We would encourage you to read the following article from Consumer Affairs which stresses the legal impact this issue has on your business.  http://www.consumeraffairs.com/news04/2009/06/tjx_settlement.html

FREQUENTLY ASKED QUESTIONS

What is PCI DSS?

PCI stands for Payment Card Industry.  DSS stands for Data Security Standard.  PCI DSS is a set of rules and regulations for enhancing payment account data security.  The standards for PCI DSS were created by the PCI Security Standards Council, which is comprised of American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa, Inc.  PCI DSS promotes industry “Best Practices” in the handling of sensitive card information with the intent of decreasing identity theft and fraud.

When Was PCI DSS Developed?

PCI DSS has existed for some time.  However, up until this point, each Card Brand (ex. American Express) operated their own program and sought to promote the adoption of a uniform industry standard.

I Only Process A Small Amount of Credit Card Dollars Each Month.  Does My Merchant Account Still Need to Be PCI Compliant?

Yes, all merchants, whether small or large, are required to be PCI Compliant. 

I Already Use a PCI Compliant Terminal or Gateway With My Processor.  Doesn’t That Mean I Am PCI DSS Compliant?

No.  The terminal or gateway is only one aspect of the PCI DSS requirements, which cover the complete handling of sensitive data.  Currently the PCI DSS standards consist of 12 requirements.  These requirements are organized around the following categories:

• Build and Maintain A Secure Network
• Protect Card Holder Data
• Maintain a Vulnerability Management Program
• Implement Strong Access Control Measures
• Regularly Monitor and Test Networks
• Maintain An Information Security Policy

Can I Choose Not to Participate In Your Program or Be Certified?

No.  The program being offered by your processing bank through SecurityMetrics is mandatory.  If you choose not to complete the self-assessment questionnaire (and applicable network scans) you may overlook certain data security practices that minimize your risk of a security breach.  In the event that your business is compromised, you may be subject to fines up to $500,000 per payment brand.  These fines would be in addition to the expenses and fraudulent transactions resulting from the breach. 

In light of the importance that data security has to the payment industry and consumers at large, your processing bank may also begin imposing a fee for each month that your account has not been validated as PCI Compliant or in any given month your account is deemed non-compliant.  Continued failure to validate compliance may result in the termination of your merchant account. 

Can I Opt Out of Your Program if I Am Already Certified?

Yes.  You have 30 days from the date that your account is approved with BestMerchantRates.com to provide your current certificate of certification.  Once we have verified your certification, you may opt out of the SecurityMetrics program and you will not be charged the Annual PCI DSS Compliance Fee for the year in which you have already been certified as compliant.

What Do I Need To Do To Validate My PCI DSS Compliance?

Your processing bank has established a relationship with SecurityMetrics, Inc., a leading provider of PCI audit and scan services.  SecurityMetrics’ service includes: assistance in determining which version of the Self-Assessment Questionnaire is appropriate for your business; administration of any applicable network scans; guidance on any necessary remediation efforts; and certification and validation of your account’s compliance.  Through SecurityMetrics’ PCI Compliannce Validation Service Program, these SecurityMetrics services are available to you at no additional charge.  You can enroll with SecurityMetrics by going to their website www.securitymetrics.com or by calling 800-557-4684.

How Long is the PCI Compliance Certification Valid?

The PCI Compliance Certificate is valid for one year from the date the certificate is issued.  To maintain your compliance, you are required to complete the PCI DSS self-assessment questionnaire annually and conduct any applicable network scan on a quarterly basis.

Do I Have To Use SecurityMetrics?

Yes.  While there are other qualified security assessment companies and scanning vendors, your processing bank has selected SecurityMetrics because of the quality service they will provide and their excellent standing within the industry.  If you would like to select another vendor, you will need to cancel your merchant account with BestMerchantRates.com by calling 866-576-5757.  However, if you are already certified, please see the above Frequently Asked Question titled “Can I Opt Out of Your Program If I Am Already Certified.”

What If I Have Already Been Certified By Another Vendor?

Please submit your certification documentation to a BestMerchantRates.com Customer Care Representative by calling 866-576-5757.  This will waive your Annual PCI DSS Compliance Fee for the current year in which you are certified as compliant.