Q: What is PCI?
A: The Payment Card Industry (PCI) is a global organization that develops and maintains security standards to protect payment card information. PCI standards help businesses secure cardholder data, reduce the risk of data breaches, and build customer trust with a safer payment environment.
Q: What is a Self-Assessment Questionnaire (SAQ)?
A: A Self-Assessment Questionnaire (SAQ) is a tool from PCI to help businesses assess their compliance with PCI Data Security Standards. It includes questions that guide you in evaluating your data security practices and identifying areas for improvement to meet PCI requirements.
Q: What is the difference between SAQ B-IP and SAQ P2PE?
A: SAQ B-IP applies to merchants using standalone IP-connected terminals (like the FD150) that encrypt data but are not part of a validated Point-to-Point Encryption (P2PE) solution. P2PE requires additional layers of security and certification, including end-to-end encryption control, chain-of-custody requirements, and rigorous device management standards. SAQ P2PE is for merchants who use fully validated P2PE solutions, which offer more extensive data protection by ensuring that encrypted card data remains secure from the point of interaction through to the payment processor.
Q: Why is the FD150 no longer P2PE approved?
A: The FD150/FD130 does not meet the criteria for P2PE compliance, due to:
- Scope Reduction: Merchant environments remain in scope.
- End-to-End Encryption: Lacks full encryption and decryption management.
- PCI P2PE Validation: Not certified by the PCI Security Standards Council.
- Chain of Security: Insufficient security from manufacturing to management.
Q: What is an ASV?
A: An Approved Scanning Vendor (ASV) is a PCI-certified company authorized to perform vulnerability scans on businesses' external networks. These scans identify potential security weaknesses, helping businesses secure cardholder data and meet PCI compliance requirements.
Check out the ASV Resource Guide to learn more.
Q: What does PCI-PED mean, and why is it important?
A: PCI-PED (Payment Card Industry - PIN Entry Device) is a security standard for devices that accept PINs during transactions. It ensures the device protects PIN data from tampering, helping to secure customer data, prevent fraud, and support safe transactions.
Q: What is the difference between the FD130 and the FD150?
A:
- Processing Power: The FD150 has a faster processor for efficient transaction handling.
- Memory: The FD150 has double the memory of the FD130, improving performance.
- PCI-PED Compliance: The FD150 meets PCI-PED version 5.x standards, providing enhanced security.
- End of Life: The FD130 is at end-of-life, meaning it will no longer receive support, while the FD150 will continue to be supported.
Q: What is an Uninterruptible Power Supply (UPS) and why use it instead of an outlet?
A: A UPS keeps your payment equipment, like the FD150 and E300, running during power surges or outages, preventing transaction interruptions. This helps avoid lost sales, double charges, and downtime, protecting both your revenue and the consumer’s trust.
Q: What is a Managed Firewall, and why do I need it?
A: A managed firewall is a security tool that restricts access to and from the Cardholder Data Environment (CDE) and controls data traffic. Unlike a regular firewall, a managed firewall is monitored by a dedicated team, protects sensitive data around the clock, and configures your network to help maintain PCI compliance.
Q: What will the new compliance process look like for my store?
A: Once the E300 firewall is set up and the FD150 is behind it, you’ll need to:
1. Complete the SAQ B-IP annually on Aperia's portal.
2. Schedule a quarterly vulnerability scan via Aperia’s portal.
3. Sign the attestation of compliance.
Q: How do I schedule quarterly vulnerability scans?
A: Schedule quarterly scans on Aperia's portal under the "Network Scan" banner at the top of the page.
Q: What will happen if I don’t complete the SAQ B-IP or vulnerability scans?
A: There is a $14.95 non-compliance fee if either of these requirements is not completed or a $29.90 fee if both are not completed.
Q: What should I do if I have trouble with the new FD150 terminal?
A: For issues with the FD150, please contact Fiserv’s help desk at 800-347-8224 or our Client Services Supervisor at 331-457-4800.
Q: How do I return my FD130 terminal?
A: Clark will provide a FedEx return label with your new FD150. Use it to drop off the FD130 at the nearest FedEx location.
Q: How will these changes affect my billing?
A: Clark has combined your $70 network fee, $49.99 terminal rental fee, and the $105 new firewall costs into a single monthly charge of $179.99.
Q: How will this upgrade benefit my business?
A: This upgrade offers:
- Risk Reduction: A managed firewall and regular scans help prevent costly data breaches.
- Consumer Trust: Consumers feel more secure using their cards when data protection is a priority.
- Compliance Support: Completing the SAQ and scans supports PCI compliance, reducing risks and demonstrating best practices.
Q: Who should I contact if I have more questions about this process?
A: Please contact our Client Services Supervisor at (331) 457-4800 or email us at clientservices@clarkbrands.com.