Do you need to hire a professional in order to be pci compliant?
i run an organic food store, and after a conference call with my credit card service (card connect), do i really have to hire a PCI certified professional once a year in order to be pci compliant? If this is the case, how much does it cost?
Or am I just misreading things, i don't think any "cyber criminal" is going to target my business. NCR Silver handles all my credit card transactions.
scam financial
asked 5 hours ago
thinksinbinarythinksinbinary
1104
add a comment |
i run an organic food store, and after a conference call with my credit card service (card connect), do i really have to hire a PCI certified professional once a year in order to be pci compliant? If this is the case, how much does it cost?
Or am I just misreading things, i don't think any "cyber criminal" is going to target my business. NCR Silver handles all my credit card transactions.
scam financial
asked 5 hours ago
thinksinbinarythinksinbinary
1104
ncrsilver.com/what-is-pci-compliance
– they
4 hours ago
"i don't think any "cyber criminal" is going to target my business." Wow.
– Joseph Sible
4 hours ago
1
To make a more useful comment than Joseph Sible: in the modern world, any business with an online presence of any sort will be targetted by cyber criminals. Many businesses without online presences are still targetted by cyber criminals, despite the reduced attack surface. If you're careful, there can be a big difference between being targetted and being compromised, which is part of what PCI compliance is about - but that's only about protecting credit card info, not your business.
– Ed Grimm
3 hours ago
@they: so, what your trying to say is that ncrsilver is already pci compliant, and i don't need to hire anyone? This all just seems like a classic case of taxation and racketeering to me.
– thinksinbinary
3 hours ago
@thinksinbinary: All merchants that takes card payments have to be PCI compliant. Using PCI compliant payment processor doesn't make you PCI Compliant, but they can reduce the scope of your PCI compliance. You still need to do a PCI-SAQ, which is pretty simple to do if you use a processor. Note that PCI compliance isn't law, but if you aren't PCI compliance and you are suspected to cause a data breach, your bank will impose very heavy fines and no banks will allow you to process cards if you're black listed. Completing your PCI compliance reduces your liability if you are involved in a breach.
– Lie Ryan
3 hours ago
add a comment |
i run an organic food store, and after a conference call with my credit card service (card connect), do i really have to hire a PCI certified professional once a year in order to be pci compliant? If this is the case, how much does it cost?
Or am I just misreading things, i don't think any "cyber criminal" is going to target my business. NCR Silver handles all my credit card transactions.
scam financial
asked 5 hours ago
thinksinbinarythinksinbinary
1104
i run an organic food store, and after a conference call with my credit card service (card connect), do i really have to hire a PCI certified professional once a year in order to be pci compliant? If this is the case, how much does it cost?
Or am I just misreading things, i don't think any "cyber criminal" is going to target my business. NCR Silver handles all my credit card transactions.
scam financial
scam financial
asked 5 hours ago
thinksinbinarythinksinbinary
1104
asked 5 hours ago
thinksinbinarythinksinbinary
1104
asked 5 hours ago
thinksinbinarythinksinbinary
1104
asked 5 hours ago
thinksinbinarythinksinbinary
1104
asked 5 hours ago
thinksinbinarythinksinbinary
1104
1104
ncrsilver.com/what-is-pci-compliance
– they
4 hours ago
"i don't think any "cyber criminal" is going to target my business." Wow.
– Joseph Sible
4 hours ago
1
To make a more useful comment than Joseph Sible: in the modern world, any business with an online presence of any sort will be targetted by cyber criminals. Many businesses without online presences are still targetted by cyber criminals, despite the reduced attack surface. If you're careful, there can be a big difference between being targetted and being compromised, which is part of what PCI compliance is about - but that's only about protecting credit card info, not your business.
– Ed Grimm
3 hours ago
@they: so, what your trying to say is that ncrsilver is already pci compliant, and i don't need to hire anyone? This all just seems like a classic case of taxation and racketeering to me.
– thinksinbinary
3 hours ago
@thinksinbinary: All merchants that takes card payments have to be PCI compliant. Using PCI compliant payment processor doesn't make you PCI Compliant, but they can reduce the scope of your PCI compliance. You still need to do a PCI-SAQ, which is pretty simple to do if you use a processor. Note that PCI compliance isn't law, but if you aren't PCI compliance and you are suspected to cause a data breach, your bank will impose very heavy fines and no banks will allow you to process cards if you're black listed. Completing your PCI compliance reduces your liability if you are involved in a breach.
– Lie Ryan
3 hours ago
add a comment |
ncrsilver.com/what-is-pci-compliance
– they
4 hours ago
"i don't think any "cyber criminal" is going to target my business." Wow.
– Joseph Sible
4 hours ago
1
To make a more useful comment than Joseph Sible: in the modern world, any business with an online presence of any sort will be targetted by cyber criminals. Many businesses without online presences are still targetted by cyber criminals, despite the reduced attack surface. If you're careful, there can be a big difference between being targetted and being compromised, which is part of what PCI compliance is about - but that's only about protecting credit card info, not your business.
– Ed Grimm
3 hours ago
@they: so, what your trying to say is that ncrsilver is already pci compliant, and i don't need to hire anyone? This all just seems like a classic case of taxation and racketeering to me.
– thinksinbinary
3 hours ago
@thinksinbinary: All merchants that takes card payments have to be PCI compliant. Using PCI compliant payment processor doesn't make you PCI Compliant, but they can reduce the scope of your PCI compliance. You still need to do a PCI-SAQ, which is pretty simple to do if you use a processor. Note that PCI compliance isn't law, but if you aren't PCI compliance and you are suspected to cause a data breach, your bank will impose very heavy fines and no banks will allow you to process cards if you're black listed. Completing your PCI compliance reduces your liability if you are involved in a breach.
– Lie Ryan
3 hours ago
ncrsilver.com/what-is-pci-compliance
– they
4 hours ago
ncrsilver.com/what-is-pci-compliance
– they
4 hours ago
"i don't think any "cyber criminal" is going to target my business." Wow.
– Joseph Sible
4 hours ago
"i don't think any "cyber criminal" is going to target my business." Wow.
– Joseph Sible
4 hours ago
1
1
To make a more useful comment than Joseph Sible: in the modern world, any business with an online presence of any sort will be targetted by cyber criminals. Many businesses without online presences are still targetted by cyber criminals, despite the reduced attack surface. If you're careful, there can be a big difference between being targetted and being compromised, which is part of what PCI compliance is about - but that's only about protecting credit card info, not your business.
– Ed Grimm
3 hours ago
To make a more useful comment than Joseph Sible: in the modern world, any business with an online presence of any sort will be targetted by cyber criminals. Many businesses without online presences are still targetted by cyber criminals, despite the reduced attack surface. If you're careful, there can be a big difference between being targetted and being compromised, which is part of what PCI compliance is about - but that's only about protecting credit card info, not your business.
– Ed Grimm
3 hours ago
@they: so, what your trying to say is that ncrsilver is already pci compliant, and i don't need to hire anyone? This all just seems like a classic case of taxation and racketeering to me.
– thinksinbinary
3 hours ago
@they: so, what your trying to say is that ncrsilver is already pci compliant, and i don't need to hire anyone? This all just seems like a classic case of taxation and racketeering to me.
– thinksinbinary
3 hours ago
@thinksinbinary: All merchants that takes card payments have to be PCI compliant. Using PCI compliant payment processor doesn't make you PCI Compliant, but they can reduce the scope of your PCI compliance. You still need to do a PCI-SAQ, which is pretty simple to do if you use a processor. Note that PCI compliance isn't law, but if you aren't PCI compliance and you are suspected to cause a data breach, your bank will impose very heavy fines and no banks will allow you to process cards if you're black listed. Completing your PCI compliance reduces your liability if you are involved in a breach.
– Lie Ryan
3 hours ago
@thinksinbinary: All merchants that takes card payments have to be PCI compliant. Using PCI compliant payment processor doesn't make you PCI Compliant, but they can reduce the scope of your PCI compliance. You still need to do a PCI-SAQ, which is pretty simple to do if you use a processor. Note that PCI compliance isn't law, but if you aren't PCI compliance and you are suspected to cause a data breach, your bank will impose very heavy fines and no banks will allow you to process cards if you're black listed. Completing your PCI compliance reduces your liability if you are involved in a breach.
– Lie Ryan
3 hours ago
add a comment |
2 Answers
2
active
oldest
votes
If you handle credit card numbers, then yes, you have to be certified by a qualified auditor and this certification requires you hiring a PCI auditor.
However, you don't have to handle credit card numbers to be able to receive credit card payments. Instead, most smaller merchants use a PCI compliant payment processor like Stripe or PayPal to process card transactions. This reduces the scope of your PCI compliance signficantly, and you can be PCI compliant by just doing the PCI SAQ (Self Assessment Questionnaire), which you can do yourself without hiring a PCI auditor. Depending on your business type and how you handle card payments, there are different SAQs. The SAQ questionnaires will tell you if you need to actually use an auditor, which is based on the volume of your expected transactions and the mechanism you integrate with your payment processor.
Primarily, you want to outsource as much as possible of your payment processing to the payment processor to reduce your scope and avoid handling card numbers.
answered 4 hours ago
Lie RyanLie Ryan
23.1k34976
add a comment |
Do you need to be cautious about security?
If you are using POS(Point of Sale system) a simple reason could be;
This Machine is simply request the money transfer. The credit card data being transferred to complete the transaction are sensitive and the whole process needs to be PCI (payment )compliance. You might not have online business but it only means less concern. Anyone can be target of cyber criminals in small or large scale and just a matter of time.
Start with PCI SAQ (Self Assessment Questionnaire) and this should give an idea if you still need a professional to run through that.
How much does it cost?
Depends on variable that will affect the overall cost, the size and type of business. The larger the organization, the more potential compliance gaps therefore more costly.
answered 1 hour ago
VcodeVcode
453128
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f203670%2fdo-you-need-to-hire-a-professional-in-order-to-be-pci-compliant%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
If you handle credit card numbers, then yes, you have to be certified by a qualified auditor and this certification requires you hiring a PCI auditor.
However, you don't have to handle credit card numbers to be able to receive credit card payments. Instead, most smaller merchants use a PCI compliant payment processor like Stripe or PayPal to process card transactions. This reduces the scope of your PCI compliance signficantly, and you can be PCI compliant by just doing the PCI SAQ (Self Assessment Questionnaire), which you can do yourself without hiring a PCI auditor. Depending on your business type and how you handle card payments, there are different SAQs. The SAQ questionnaires will tell you if you need to actually use an auditor, which is based on the volume of your expected transactions and the mechanism you integrate with your payment processor.
Primarily, you want to outsource as much as possible of your payment processing to the payment processor to reduce your scope and avoid handling card numbers.
answered 4 hours ago
Lie RyanLie Ryan
23.1k34976
add a comment |
If you handle credit card numbers, then yes, you have to be certified by a qualified auditor and this certification requires you hiring a PCI auditor.
However, you don't have to handle credit card numbers to be able to receive credit card payments. Instead, most smaller merchants use a PCI compliant payment processor like Stripe or PayPal to process card transactions. This reduces the scope of your PCI compliance signficantly, and you can be PCI compliant by just doing the PCI SAQ (Self Assessment Questionnaire), which you can do yourself without hiring a PCI auditor. Depending on your business type and how you handle card payments, there are different SAQs. The SAQ questionnaires will tell you if you need to actually use an auditor, which is based on the volume of your expected transactions and the mechanism you integrate with your payment processor.
Primarily, you want to outsource as much as possible of your payment processing to the payment processor to reduce your scope and avoid handling card numbers.
answered 4 hours ago
Lie RyanLie Ryan
23.1k34976
add a comment |
If you handle credit card numbers, then yes, you have to be certified by a qualified auditor and this certification requires you hiring a PCI auditor.
However, you don't have to handle credit card numbers to be able to receive credit card payments. Instead, most smaller merchants use a PCI compliant payment processor like Stripe or PayPal to process card transactions. This reduces the scope of your PCI compliance signficantly, and you can be PCI compliant by just doing the PCI SAQ (Self Assessment Questionnaire), which you can do yourself without hiring a PCI auditor. Depending on your business type and how you handle card payments, there are different SAQs. The SAQ questionnaires will tell you if you need to actually use an auditor, which is based on the volume of your expected transactions and the mechanism you integrate with your payment processor.
Primarily, you want to outsource as much as possible of your payment processing to the payment processor to reduce your scope and avoid handling card numbers.
answered 4 hours ago
Lie RyanLie Ryan
23.1k34976
If you handle credit card numbers, then yes, you have to be certified by a qualified auditor and this certification requires you hiring a PCI auditor.
However, you don't have to handle credit card numbers to be able to receive credit card payments. Instead, most smaller merchants use a PCI compliant payment processor like Stripe or PayPal to process card transactions. This reduces the scope of your PCI compliance signficantly, and you can be PCI compliant by just doing the PCI SAQ (Self Assessment Questionnaire), which you can do yourself without hiring a PCI auditor. Depending on your business type and how you handle card payments, there are different SAQs. The SAQ questionnaires will tell you if you need to actually use an auditor, which is based on the volume of your expected transactions and the mechanism you integrate with your payment processor.
Primarily, you want to outsource as much as possible of your payment processing to the payment processor to reduce your scope and avoid handling card numbers.
answered 4 hours ago
Lie RyanLie Ryan
23.1k34976
edited 3 hours ago
answered 4 hours ago
Lie RyanLie Ryan
23.1k34976
answered 4 hours ago
Lie RyanLie Ryan
23.1k34976
answered 4 hours ago
Lie RyanLie Ryan
23.1k34976
23.1k34976
add a comment |
add a comment |
Do you need to be cautious about security?
If you are using POS(Point of Sale system) a simple reason could be;
This Machine is simply request the money transfer. The credit card data being transferred to complete the transaction are sensitive and the whole process needs to be PCI (payment )compliance. You might not have online business but it only means less concern. Anyone can be target of cyber criminals in small or large scale and just a matter of time.
Start with PCI SAQ (Self Assessment Questionnaire) and this should give an idea if you still need a professional to run through that.
How much does it cost?
Depends on variable that will affect the overall cost, the size and type of business. The larger the organization, the more potential compliance gaps therefore more costly.
answered 1 hour ago
VcodeVcode
453128
add a comment |
Do you need to be cautious about security?
If you are using POS(Point of Sale system) a simple reason could be;
This Machine is simply request the money transfer. The credit card data being transferred to complete the transaction are sensitive and the whole process needs to be PCI (payment )compliance. You might not have online business but it only means less concern. Anyone can be target of cyber criminals in small or large scale and just a matter of time.
Start with PCI SAQ (Self Assessment Questionnaire) and this should give an idea if you still need a professional to run through that.
How much does it cost?
Depends on variable that will affect the overall cost, the size and type of business. The larger the organization, the more potential compliance gaps therefore more costly.
answered 1 hour ago
VcodeVcode
453128
add a comment |
Do you need to be cautious about security?
If you are using POS(Point of Sale system) a simple reason could be;
This Machine is simply request the money transfer. The credit card data being transferred to complete the transaction are sensitive and the whole process needs to be PCI (payment )compliance. You might not have online business but it only means less concern. Anyone can be target of cyber criminals in small or large scale and just a matter of time.
Start with PCI SAQ (Self Assessment Questionnaire) and this should give an idea if you still need a professional to run through that.
How much does it cost?
Depends on variable that will affect the overall cost, the size and type of business. The larger the organization, the more potential compliance gaps therefore more costly.
answered 1 hour ago
VcodeVcode
453128
Do you need to be cautious about security?
If you are using POS(Point of Sale system) a simple reason could be;
This Machine is simply request the money transfer. The credit card data being transferred to complete the transaction are sensitive and the whole process needs to be PCI (payment )compliance. You might not have online business but it only means less concern. Anyone can be target of cyber criminals in small or large scale and just a matter of time.
Start with PCI SAQ (Self Assessment Questionnaire) and this should give an idea if you still need a professional to run through that.
How much does it cost?
Depends on variable that will affect the overall cost, the size and type of business. The larger the organization, the more potential compliance gaps therefore more costly.
answered 1 hour ago
VcodeVcode
453128
answered 1 hour ago
VcodeVcode
453128
answered 1 hour ago
VcodeVcode
453128
answered 1 hour ago
VcodeVcode
453128
453128
add a comment |
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f203670%2fdo-you-need-to-hire-a-professional-in-order-to-be-pci-compliant%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
ncrsilver.com/what-is-pci-compliance
– they
4 hours ago
"i don't think any "cyber criminal" is going to target my business." Wow.
– Joseph Sible
4 hours ago
1
To make a more useful comment than Joseph Sible: in the modern world, any business with an online presence of any sort will be targetted by cyber criminals. Many businesses without online presences are still targetted by cyber criminals, despite the reduced attack surface. If you're careful, there can be a big difference between being targetted and being compromised, which is part of what PCI compliance is about - but that's only about protecting credit card info, not your business.
– Ed Grimm
3 hours ago
@they: so, what your trying to say is that ncrsilver is already pci compliant, and i don't need to hire anyone? This all just seems like a classic case of taxation and racketeering to me.
– thinksinbinary
3 hours ago
@thinksinbinary: All merchants that takes card payments have to be PCI compliant. Using PCI compliant payment processor doesn't make you PCI Compliant, but they can reduce the scope of your PCI compliance. You still need to do a PCI-SAQ, which is pretty simple to do if you use a processor. Note that PCI compliance isn't law, but if you aren't PCI compliance and you are suspected to cause a data breach, your bank will impose very heavy fines and no banks will allow you to process cards if you're black listed. Completing your PCI compliance reduces your liability if you are involved in a breach.
– Lie Ryan
3 hours ago