Have a question? Look for the answer in our FAQ.

How do I log in to www.myControlScan.com ?

If this is your first time accessing the portal, you should enter your username and password. Your username is your merchant ID number and the initial password is 123MYPCI (case sensitive). If you have previously visited the portal, you should log in using your existing username and password. Your merchant ID may be found at the top of your monthly processing statement. Your merchant ID may also be found on your initial welcome letter or on your terminal sticker (if applicable). You can also contact Customer Service to obtain this information.

What is PCI compliance?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment and prevent credit card fraud.  The PCI DSS is administered and managed by the PCI SSC (www.pcisecuritystandards.org), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.). Essentially any merchant that has a Merchant ID (MID) is required to meet PCI compliance requirements.

Why haven’t I heard anything from the card brands regarding PCI compliance?

The individual card brands are requiring that the Merchant Banks/Processors implement individual PCI compliance program to educate merchants on compliance and ensure that they meet PCI compliance requirements. They have required that all Merchant Banks/Processors have a plan in place to ensure that all of their merchants obtain and maintain compliance with the standard. Most of the breaches you hear of in the news are large retailers, but many people do not realize that over 80% of compromises occur at small merchant locations.

Can I just download a form from the web and fill it out?

It is extremely difficult to complete the standard PCI Self Assessment Questionnaire without assistance- it was written in a very technical language. We have partnered with ControlScan to assist you in the compliance process and offer support to you as you are completing the SAQ. Many of the questions in the SAQ require that you have a written Security Policy in place and a formal Security Awareness Training in place. Without a resource to assist in building the required Security Policy and conduct the formal training, this would be a very time consuming and costly task to complete.

If I only accept credit cards over the phone, does PCI still apply to me?

All business that store, process or transmit payment cardholder data must be PCI Compliant.

What does the PCI Compliance Service fee cover?

The PCI Compliance Service fee brings you a comprehensive PCI Program with the tools and support necessary to analyze, remediate, and validate your PCI compliance, such as a PCI Self Assessment Questionnaire, Vulnerability Scanning, Security Policy Builder and Security Awareness Training; equipment discounts for TDES pin pad upgrades; ongoing compliance support; and our new Breach Protection Program.

On our end, we continue to maintain our PCI certification. This has included updating terminal software nationwide and remedying all terminal compliance issues. We’re also proud to have a support staff dedicated to ensuring merchant and agent compliance.

The PCI Compliance Service fee does not in any way imply, insure or provide compliance with PCI or FACTA requirements. Merchants are required to take the steps necessary to ensure they are in compliance with PCI DSS and FACTA based on their specific payment acceptance procedures and understand that failure to do so make them vulnerable to the associated risks.

Explore this website to understand more completely the PCI DSS and FACTA requirements as well as Visa and MasterCard’s guidelines.

How do I get the certificate of compliance?

Retail merchants: (Imprint only, stand alone dial up terminal, no cardholder data storage) Retail merchants are required to complete the Self Assessment Questionnaire (SAQ). We have partnered with ControlScan, a leading provider of Payment Card Industry (PCI) compliance and security solutions, to give our merchants a comprehensive package to meet mandatory PCI requirements set forth by the PCI Security Standards Council (PCI SSC). Simply click on the “Validate Your PCI Compliance” button from this website to begin the process. After completing the online Self Assessment Questionnaire you will have the ability to print a Compliance Certificate.

E-Commerce Merchants: (Merchants with external facing IP addresses, Online/Internet connectivity, MOTO, Software, etc.) E-Commerce merchants are required to complete both the Self Assessment Questionnaire and a quarterly vulnerability scan. We have partnered with ControlScan, a leading provider of Payment Card Industry (PCI) compliance and security solutions, to give our merchants a comprehensive package to meet mandatory PCI requirements set forth by the PCI Security Standards Council (PCI SSC). Simply click on the “Validate Your PCI Compliance” button from this website to begin the process. After completing the Self Assessment Questionnaire and vulnerability scan, you will have the ability to print a Certificate indicating your results.

What is the Payment Card Industry Data Security Standard (PCI DSS)?

The PCI DSS is a set of comprehensive requirements to help ensure the safe handling of cardholder data throughout the payments chain. It was developed by PCI Security Standards Council (PCI SSC), which is a consortium comprised of the five major payment brands including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. International.

Who needs to comply with the PCI DSS?

All organizations, regardless of size or number of transactions, that process, store or transmit cardholder data must comply with the PCI DSS. Essentially, all merchants with a Merchant Identification number (MID) and all service providers that touch cardholder data are required to comply with the PCI DSS.

What happens if I do not comply?

Merchants that do not comply with PCI DSS may be subject to fines, card replacement costs, costly forensic audits, brand damage, etc., should a breach event occur. Many acquiring banks are issuing fines for merchants who do not comply with PCI. For a little upfront effort and cost to comply with PCI, you greatly help reduce your risk from facing these extremely unpleasant and costly consequences.

My shopping cart/payment gateway/processing is outsourced, why is this my responsibility? If I am breached, wouldn’t it be their fault?

Merely using a third-party company does not exclude a company from PCI compliance. It may cut down on your risk exposure and consequently reduce the effort to validate compliance. However, it does not mean you are exempt from PCI. All merchants are required to complete the SAQ annually at a minimum. It also addresses internal security practices and procedures behind handling credit card data.

One of the leading causes of data breaches is due to employee error or carelessness when handling sensitive information- this is why proper policies should be in place and a formal Security Awareness Training should be conducted. Your business must protect cardholder data when you receive it, and process charge backs and refunds. You must also ensure that providers’ applications and card payment terminals comply with respective PCI standards and do not store sensitive cardholder data. You should request a certificate of compliance annually from providers.

My payment application is already compliant- what else do I need to do?

Utilizing a compliant payment application is a best practice towards achieving compliance, but PCI compliance also covers data security, physical security and network security.

What is a Self Assessment Questionnaire (SAQ)?

The Self Assessment Questionnaire (SAQ) is a validation tool primary used by merchants and service providers not required not required to undergo an onsite assessment in self evaluating their compliance with the PCI DSS.

How do I know which Self Assessment Questionnaire (SAQ) to complete?

We have partnered with ControlScan, a leading provider of Payment Card Industry (PCI) compliance and security solutions, to give you a comprehensive package to meet mandatory PCI requirements set forth by the PCI Security Standards Council (PCI SSC).

You can access ControlScan’s web-based merchant portal called www.MyControlScan.com directly from our website, which provides you with the leading tools and support necessary to analyze, remediate and validate PCI compliance. ControlScan’s easy-to-use system is designed for all merchants that need to confidently complete PCI DSS certification requirements. After completing the online Self Assessment Questionnaire you will have the ability to print a Compliance Certificate. Using the PCI Wizard and answering the questions presented will assist you in completing the appropriate SAQ for your business.

Note: scanning does not apply to all merchants. It is required for Validation Type 4 and 5 – those merchants with external facing IP addresses. Basically if you electronically store cardholder information or if your processing systems have any internet connectivity, a quarterly scan by an approved scanning vendor is required.

What is a network security scan?

A network security scan involves an automated tool that checks a merchant or service provider's systems for vulnerabilities. The tool will conduct a non-intrusive scan to remotely review networks and Web applications based on the external-facing Internet protocol (IP) addresses provided by the merchant or service provider.

The scan will identify vulnerabilities in operating systems, services, and devices that could be used by hackers to target the company's private network. As provided by an Approved Scanning Vendors (ASV’s) such as ControlScan the tool will not require the merchant or service provider to install any software on their systems, and no denial-of-service attacks will be performed. Note, typically only merchants with external facing IP address are required to have passing quarterly scans to validate PCI compliance.

Do I need vulnerability scanning to validate compliance?

If you electronically store cardholder data post authorization, or if your processing systems have any internet connectivity, a quarterly scan by a PCI SSC Approved Scanning Vendor (ASV) is required.

How often do I have to scan?

Every 90 days/once per quarter you are required to submit a passing scan.

Does this service protect me from breaches?

No, it does not. While this service can ensure your terminals and on-line shopping carts are compliant, and meet all the requirements, we cannot verify that all your individual business practices are compliant, or that you have vulnerabilities that this process would not address. This service, however, will go a long way towards making your account as safe as possible, and give you insight and information on other remediation steps you should be taking to protect credit card data in your possession.

What if I’m already working with a compliance company?

We are glad to hear that you have taken a proactive role in ensuring your compliance. Please forward us a copy of your current Compliance Certificate. You may fax the Compliance Certificate to 248-283-6235, or mail a copy to us at 250 Stephenson Hwy., Troy, MI 48083. Please be sure to identify your DBA Name and merchant number clearly on the first page.

I do not want this service.

Due to the importance of securing cardholder information and the requirements mandated by the Payment Card Industry Data Security Council we are unable to waive this fee but will continue to work hard at offering you the best compliance services as inexpensively as possible. All merchants that accept credit cards, regardless of size or sales volume, must validate PCI compliance at least annually. There is no way around this. Although larger merchants are at a greater risk of a security breach due to their processing volumes, statistics show that small (Level 4) merchants account for over 85% of compromise events.

Can I switch to a new processor who doesn’t require compliance?

All Acquirers are responsible for ensuring that all of their merchants comply with the PCI Data Security Standard (DSS) requirements, therefore, all processors are required by the card brands to implement a PCI compliance program. We have partnered with ControlScan based on the fact that they provide the best value for our merchants and provide full support in helping you in the compliance process.

What is the cost associated with a compliance failure or data breach?

The cost associated with a compliance failure or data breach can be very expensive for any merchant, especially a small or medium sized business owner. These costs include:
Forensic investigation of computer or point of sale systems: $10,000-$20,000
Reimbursement for fraudulent purchases made using breached information, as well as chargeback fees for those transactions
Replacement cards for breach accounts:$3-$10 per card
Card Association fines for non-compliance with the PCI Standard, up to $500,000
Loss of business reputation and customer loyalty, and potentially credit card acceptance
Potential listing in the MATCH

How do I learn more about PCI DSS?

More information about PCI DSS is available from the PCI Security Standards Council.

As a merchant, aren’t I entitled to store any data?

Many merchants believe that they own the customer and have a right to store all the data about that customer in order to help their business. Not only is this incorrect regarding PCI, it may also be a violation of State and Federal legislation regarding privacy. The PCI regulations specifically forbid storing of any of the following:

• Unencrypted credit card number
• CVV or CVV2
• Pin blocks
• PIN numbers
• Track 1 or 2 data
• Any of the above found in databases, log files, audit trails, backups etc. at a merchant can result in serious consequences for the Merchant, especially if a compromise has taken place.
• I can just answer 'yes' to all the criteria on the Self-Assessment Questionnaire (SAQ).
• The Self-Assessment Questionnaire (SAQ) is a mechanism for getting the information about the level of your compliance to your merchant bank. The standard applies at all times. Just saying yes to the questions puts you at great risk. If a compromise took place and it was obvious that you were not and have never been PCI compliant, the matter would be taken very seriously. You would be risking your whole business by answering 'yes' to the questions, when there is no factual basis for the answers.

What are the PCI compliance ‘levels’ and how are they determined?

All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As (‘DBA’). In cases where a merchant corporation has more than one DBA, Visa acquirers must consider the aggregate volume of transactions stored, processed or transmitted by the corporate entity to determine the validation level. If data is not aggregated, such that the corporate entity does not store, process or transmit cardholder data on behalf of multiple DBAs, acquirers will continue to consider the DBA’s individual transaction volume to determine the validation level.

Merchant Level - Description
1 - Any merchant -- regardless of acceptance channel -- processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
2 - Any merchant -- regardless of acceptance channel -- processing 1M to 6M Visa transactions per year.
3 - Any merchant processing 20,000 to 1M Visa e-commerce transactions per year.
4 - Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants -- regardless of acceptance channel -- processing up to 1M Visa transactions per year.
*Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level. Source: http://usa.visa.com/merchants/risk_management/cisp_merchants.html

What should I do if I’m compromised?

We recommend following the procedures outlined in Visa’s” What to Do If Compromised Visa Fraud Control and Investigations Procedures” document. See the Link below. http://usa.visa.com/download/merchants/cisp_what_to_do_if_compromised.pdf