Answers to the most common questions about the Payment Card Industry (PCI) Compliance.
Payment Card Industry (PCI) Compliance FAQs
|What is PCI compliance?||The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.
The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with a focus on improving payment account security throughout the transaction process.
The PCI DSS is administered and managed by the PCI SSC, an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.). It is important to note that the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.
|Where can I find the PCI Data Security Standard (PCI DSS)?||The current PCI DSS documents can be found on the PCI Security Standards Council website.|
|What is the most current version of the PCI DSS?||The PCI SCC released PCI DSS version 4.0 in April 2022. PCI DSS 4.0 brought with it some extensive changes, including new password requirements and additional guidance about ecommerce security.
At this time, the third party platform that Tebra partners with (SecureTrust) to provide the solution for customers to complete PCI compliance attestation is PCI DSS version 3.2.1. SecureTrust is currently working on upgrading the platform to include the requirements of version 4.0.
|Who is SecureTrust?||SecureTrust is a Qualified Security Assessor Company (QSA-C) that offers solutions to proactively assess and improve business' security posture. Tebra has partnered with SecureTrust to offer our payment customers to use SecureTrust's solution to attest their PCI compliance.|
|What do we have to do to be PCI compliant?||To become PCI compliant, you need to create an account with our trusted partner, SecureTrust, complete the Self-Assessment Questionnaire (SAQ) and ensure that all required controls are specified in the SAQ are in place.|
|We use a billing company, what is the process for completing the PCI compliance requirements?||The Self-Assessment Questionnaire (SAQ) needs to be completed by the practice.|
|How long does the certification process take?||The anticipated completion time for the Self-Assessment Questionnaire (SAQ) is approximately 20 minutes.|
|I received an email regarding PCI. Is this from Tebra?||Yes, you should have received an email from SecureTrust, our trusted partner in ensuring the security of your sensitive information. The email will guide you through the PCI DSS compliance process, a vital step in safeguarding your payment card data.
Note: You have 90 days from receiving the SecureTrust email to onboard to the PCI Compliance portal, complete the Self-Assessment Questionnaire (SAQ), and become PCI compliant.
|What if I don't know how to answer the question?||Answer the questions to the best of your ability with the information that you have available. SecureTrust representatives are available to assist you with interpreting questions at email@example.com.|
|How do we know if we are PCI compliant?||Your responses to the Self-Assessment Questionnaire (SAQ), based on the controls that you have in place, will determine whether your business is PCI compliant. SecureTrust will provide guidance as to what corrective actions are needed if there is noncompliance.|
|Do submerchants have to be PCI compliant?||All businesses that process, store, or transmit payment card information are required to comply with the PCI DSS. The government does not regulate PCI*; however, when you signed your payment card contract—and confirmed your desire to accept credit and debit cards at your business—you agreed to follow card brand rules. If you wish to safely accept Visa, MasterCard, JCB, American Express, and Discover, you must comply with PCI DSS.
*Some states, including Nevada, Minnesota and Washington, have incorporated PCI DSS compliance into their state laws.
|What happens if as a submerchant we are not PCI compliant?||In the event of non-compliance with PCI regulations, various adverse consequences may ensue, including but not limited to monthly fines and penalties imposed by card brands, potential data breaches leading to compensation obligations for affected customers, legal proceedings, and reputational harm attributable to compromised data. Furthermore, pursuant to the Tebra Payments pricing policy, a recurring monthly non-compliance charge will be applied until PCI compliance is reinstated.|
|Will we not be able to process credit card payments if we are not PCI compliant?||You will still be able to process payments if you are not PCI compliant. However, a recurring monthly non-compliance charge will be applied until PCI compliance is reinstated.|
|What if we have additional questions about being PCI compliant? Who do we reach out to?||If you have any questions regarding becoming PCI compliant, reach out to our trusted partner, SecureTrust at firstname.lastname@example.org.|
|What if we didn't receive any communication about PCI compliance for Tebra Payments? Who do we reach out to?||If you have not received any communication regarding becoming PCI compliant, contact Tebra Customer Care.|