Sales Rep Frequently Asked Questions
Size: px
Start display at page:

Download "Sales Rep Frequently Asked Questions"

Transcription

1 V Sales Rep Frequently Asked Questions OMEGA Processing Data Protection Program February Updated In response to a national rise in data breaches and system compromises, OMEGA Processing is partnering with Compliance Solutions Resources (CSR), a national leader in PCI and PII security, to provide our merchants with a powerful data protection solution. The new program will have four components PCI ToolKit, Breach Reporting ToolKit, Vulnerability Scanning and Breach Insurance. OMEGA Processing merchants will be enrolled in the data protection program starting in March General Program Questions Are all merchants enrolled in all four of the program components? All OMEGA Processing merchants are enrolled in the PCI ToolKit, Breach Reporting ToolKit and Breach Insurance protection policy. Merchants with IP terminals, IP compatible terminals, virtual terminals, mobile processing with OMEGA VT or POS systems are also enrolled in quarterly Vulnerability Scanning. Merchants who only run dial terminals, wireless terminals over a phone line or mobile-only processing do not require vulnerability scanning. After a merchant completes their SAQ through the PCI ToolKit, it will be determined whether or not they will need to be enrolled in Vulnerability Scanning. What is OMEGA's cost for the data protection program? PCI Toolkit $1.75 Breach Reporting Toolkit $2.00 Network Scanning $4.00 per IP address (usually only one) Note: Network scanning is not applicable for dial and wireless terminals that run over a phone line and mobile-only processing Note: IP compatible terminals that are not currently running IP must still be scanned Breach Insurance $1.75 for $100,000 policy Program Total $9.50 for IP; $5.50 for non IP How are merchants boarded? Merchants are boarded by file upload protocol. OMEGA Processing will send updated merchant lists to the vendor, CSR. What is the timing for OMEGA's PCI initiative? All current OMEGA merchants will receive enrollment information from CSR in March New merchants who are boarded after March 1, 2013, will be enrolled into the program at boarding and will then receive their enrollment information from CSR. After receiving their enrollment information, merchants will need to complete their Self-Assessment Questionnaire (SAQ) to become PCI compliant and will receive regular reminders from CSR until they do so. What if a merchant does not become PCI compliant after several notifications to do so? OMEGA Processing and all of our merchants are required to be PCI compliant. If, after multiple notifications, a merchant still has not completed their SAQ and achieved PCI compliance, OMEGA will institute a monthly PCI non-compliance fee of $29.95 in order to encourage compliance. Merchants have until August 1, 2013, to achieve PCI compliance and avoid a noncompliance fee. Is training provided? Both initial and ongoing education will be available to OMEGA reps and staff. 1 P age

2 Program Payment and Rep Charges How will payment be handled? The monthly program cost ($9.50 for IP and $5.50 for non IP) will be deducted from the net income calculation. Reps can elect to pass the exact fee onto the merchant, mark it up or absorb it. How do I let front-end know how to charge my existing merchants? Sales managers were sent spreadsheets of their existing merchants with columns highlighting current PCI fees, new PCI fees and the cost difference. There is also a column where you need to input how much OMEGA should charge each merchant for the new PCI program. You have until March 10, 2013 to complete these spreadsheets and return them to Daena Sprafka at daena@omegap.com. If you do not let OMEGA know how much to charge your merchants, we will not increase their pricing, and the monthly cost difference will be deducted from the net income calculation. How are new accounts charged? There is a field on the new merchant application for PCI/Security fee. The rep should enter the amount that the merchant is to be charged each month. Reps are encouraged to take the time to discuss the importance of PCI compliance with their new merchants. PCI Compliance and the PCI ToolKit What are PCI Standards? The Payment Card Industry Data Security Standard (PCI DSS) is a common set of industry tools and measurements that help ensure the safe handling of sensitive information such as debit or credit card number, expiration date and card security code. PCI DSS applies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data. To be PCI compliant, you must meet the PCI DSS. What is the PCI ToolKit The PCI ToolKit is an interactive security questionnaire system that guides merchants through completing their Self Assessment Questionnaire (see below for more information on SAQs) and achieving PCI compliance. The toolkit is customized, meaning the responses that merchants give to individual questions determines which path of questions the toolkit will follow. Here is the log in screen for the PCI ToolKIt. In March existing OMEGA Processing merchants will receive a credential notice in the mail from CSR with a URL for the PCI Toolkit and login directions. The merchant's username, temporary password and instructions for creating a permanent password will be included. After logging in, merchants will be directed to the PCI ToolKit where they will be able to complete their SAQ, generate security policies and complete any employee training. 2 P age

3 Here is a screenshot of the first question that merchants will see after logging into the toolkit. The PCI ToolKit provides specific solutions should a merchant's operations or procedures be found vulnerable to a data breach. In addition, the toolkit provides employee security training and certification and generates security policies that are customized to the merchant. Here is an Task Screen that outlines what remaining tasks need to be completed to achieve PCI compliance. 3 P age

4 The toolkit also has dashboard screens that shows the step-by-step process to follow in order to achieve compliance. After completing all of the steps, merchants can view and print a certificate showing their PCI compliance. What is the Self-Assessment Questionnaire (SAQ)? The Self-Assessment Questionnaire (SAQ) is the actual set of questions that the merchant must answer in order to satisfy the PCI Data Security Standard (PCI DSS). There are currently five SAQs available to answer A, B, C, C-VT and D. The merchant will complete the SAQ that best fits how credit cards are processed on a per-merchant Identification Number (MID) basis. Many merchants have more than one MID. For example, a merchant may have a MID for the retail store and a separate MID for the ecommerce store. To be PCI compliant, a SAQ must be completed at least annually or more often in the event of a data breach. Which version of the SAQ is appropriate for which type of merchants? In general, here are descriptions of the various SAQ types. SAQ A Card-not-present merchants, all cardholder data functions outsourced SAQ B Merchants with only imprint machines or only standalone, dial-out terminals. No electronic cardholder data storage SAQ C-VT Merchants with web-based virtual terminals, No electronic cardholder data storage SAQ C Merchants with payment application systems (for example, point-of-sale systems) that are connected to the Internet (for example, via DSL, cable modem, etc.), No electronic cardholder data storage SAQ D All other merchants and all service providers defined by a payment brand as eligible to complete an SAQ What SAQ versions does the PCI ToolKit cover? PCI ToolKit contains all of the material required to complete Self-Assessment Questionnaires (SAQs) A, B, C-VT, C and D. How long does it take to complete the SAQ using the PCI ToolKit? While it depends on which SAQ, the number of MIDs and the level of merchant knowledge, on average it requires minutes to complete the SAQ the first time. Because business information is saved in the system, the time needed to complete the SAQ is significantly reduced in following years. 4 P age

5 What type of customer support is offered? support from CSR can be launched from any page of PCI ToolKit. PCI experts respond in writing very quickly, usually in minutes, and no longer than one business day. How are merchants reminded to complete their SAQ? PCI ToolKit sends out and U.S. postal mail reminders for merchants to complete their initial SAQ. When annual updates are due, periodic reminders are also sent. OMEGA Processing receives reports on which merchants still have to complete their SAQ or annual update and are non-pci Compliant. Data Breaches and the Breach Reporting ToolKit What is the Breach Reporting ToolKit? Currently in 46 states, the law states that a merchant MUST proactively report any actual or suspected data loss in order to avoid fines, penalties and even prosecution. The Breach Reporting ToolKit is a notification system that - in the event of a suspected or actual data breach - delivers the right information at the right time to the right regulating bodies. In such an instance, the merchant can call a certified risk and privacy expert who will evaluate the situation, determine the scope of required notifications and initiate the notification system. This system will provide proactive notification to over 300 regulatory bodies within mandated timelines and in the format(s) required by law. What is the difference between PCI and PII? PII, or Personally Identifiable Information, is a broad category of data that encompasses both payment card information and other pieces of information that uniquely identify, or can be used to identify, an individual. PCI relates to payment card information and is just one aspect of PII. The legal definition of PII varies by state. Most definitions, however, include some variation of a person's name or initials IN COMBINATION WITH other pieces of information that can be used to identify the person, including social security numbers, driver's license numbers and financial account numbers. The Breach Reporting ToolKit responds to any potential or actual PII data loss. What are the risks to a merchant if a data breach occurs? More serious data breaches, especially those involving highly sensitive forms of data, can result in criminal penalties. Also, a business reputation can be severely damaged. Consumer surveys cited by Visa USA indicate that approximately 79% of customers lose trust in a company that experiences a data breach, and approximately 74% say that they will not continue to patronize a business where they feel their data may be at risk. Other studies show that a data breach costs companies, on average, about $214 per compromised record. The financial consequences of failing to properly report a breach can also be substantial, possibly even more so than those associated with the breach itself. As just one example, Visa can assess fines of up to $100,000 per breach incident against merchants who fail to promptly and appropriately report the incident to them. Risk can mitigated by a merchant positioning itself to be able to act quickly in the face of a breach. What if a merchant doesn't record or maintain any PII data? A merchant might be recording or maintaining PII data without realizing it. For instance, the cardholder's name is included in the magnetic stripe of some cards and is captured when the card is swiped at a point-of-sale terminal. As such, merchants may be collecting and storing information that constitutes PII through their POS terminal, even if customers are not expressly asked to provide it. This means that if a POS terminal is breached, merchants could be required to notify individuals, as well as other entities of the breach. Do Credit-Reporting Agencies (CRAs) need to be informed of a breach involving PII? The answer depends on the circumstances of the breach. There are provisions in most of the state security breach notification laws regarding reporting breaches to CRAs like Equifax, Experian and TransUnion. The Breach Reporting ToolKit determines if CRAs must be informed of a data breach and assists if necessary. 5 P age

6 What if PII under care was encrypted? Virtually all jurisdictions have an exemption from breach reporting and notification in place when the PII is encrypted or otherwise rendered secure. Encryption, in general, requires that PII be transformed into a form in which there is a low probability of assigning meaning to it without the use of a confidential process or key. Some states, however, require that PII be encrypted or secure using specific technologies or processes, in order for this notification exemption to apply. What if PII received from another organization is compromised? If PII belonging to another organization is compromised while under a merchant's care, that merchant may be required to notify the organization of the breach. Most state laws place the ultimate responsibility for notifying consumers of a breach on the owner or licensee of PII. However, others who receive or maintain this information are typically required to promptly or immediately notify the owner or licensee after discovering a breach of PII, so that the owner or licensee can take appropriate action. Cooperation with the data owner or licensee may require providing relevant details about the breach incident and any remedial measures being taken. Even where notice to the owner or licensee is not legally required, it may be appropriate, depending on the relationship. Who is responsible for overseeing compliance of the various security breach laws? As a general rule, the various state attorneys general and other state regulatory bodies are responsible for enforcing and overseeing compliance with state security breach notification laws. In some states, consumers who are harmed by a violation of the state's notification law may bring a private lawsuit to enforce the law and recover damages for a violation. At the federal level, this responsibility is primarily vested in the Federal Trade Commission, the Consumer Financial Protection Board and, in the case of healthcare-related entities, the Department of Health and Human Services Vulnerability Scanning What is vulnerability scanning? Vulnerability scanning is automated recurring network/workstation scanning that detects potential system entry points for card/cardholder data theft. Who needs vulnerability scanning? PCI-required scans may apply to all merchants and service providers with Internet-facing IP addresses. Even if a merchant does not offer Internet-based transactions, other services may make systems Internet accessible. Typically, any MID who answers SAQ C or D needs scanning. What if a merchant uses an IP-compatible terminal but is not using IP at this time? Scanning is required because we do not know if and when the merchant will start using the IP capability of the terminal. Do mobile-only merchants require scanning? Mobile only gateway merchants will not require scanning. How often is vulnerability scanning performed? PCI ToolKit offers fully integrated, quarterly scanning through a PCI Approved Scanning Vendor (ASV). Breach Insurance What is Breach Insurance? Insurance plan with up to $100,000 of protection to cover potential fines and fees in the event a merchant experiences a breach of card and/or cardholder data. Merchants are covered once they complete their SAQ and achieve PCI compliance. 6 P age

Similar documents
2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback | Do Not Sell My Personal Information