Gravity Payments

PCI-DSS

 Reading Time: 4 minutes

What is PCI-DSS?

PCI-DSS stands for Payment Card Industry Data Security Standards. This is a unified set of standards that provides “a baseline of technical and operational requirements designated to protect payment data”. PCI-DSS is a global standard built in partnership by all available card brands. Compliance with these standards ensures that you meet the minimum levels of security when you store, process, and transmit data. Learn more.

Read: PCI-DSS Documentation

Is compliance with PCI-DSS mandatory? 

While PCI DSS is not required by federal law in the US, it is mandated by the Payment Card Industry Security Standards Council and is explicitly mentioned in the state laws of Minnesota, Nevada, and Washington. In addition, compliance with PCI-DSS is a contractual obligation between your business, your merchant service provider, and the card issuer. Each card brand has its own program and penalties for non-compliance, but all follow the same standards. 

Why should my business be PCI-DSS compliant? 

Avoid the steep costs of a breach

While it can be frustrating to adapt to these standards, it is not recommended that you settle for paying a non-compliance fee. Compliance mitigates the risk of a costly data breach, which, on average, costs businesses approximately $7.68 Million in each instance. 60% of small to medium businesses go out of business within 6 months of being breached. 

Example costs of a breach:

  • Merchant Processor Compromise fee – $5,000 – $50,000
  • Forensic Investigation – $12,000 to $100,000+
  • Onsite QSA Assessment – $20,000 – $100,000
  • Free Credit Check for affected customers – $10 – $30/card
  • Card Re-Issuance Fee – $3 – $10/card
  • Breach Notification to public – $2,000 – $10,000
  • Tech Repairs – $5,000+
  • Increased Monthly processing fees, Legal fees, and Civil Judgment

Are you a healthcare provider? There’s additional costs for a payment information breach.

  • Human and Health Services Fine – up to $1.5 Million/violation/year
  • On-going credit monitoring for affected patients – $10/individual
  • Federal Trade Commission Fines – $16,000/record
  • Class Action Lawsuit – $1,000/record
  • State Attorney General Fee – $150,000+
  • Patient loss – 40%

How does Gravity Payments facilitate PCI-DSS compliance? 

Requirements and facilitation are different depending on whether you accept payments through your business management software (integrated), or as a standalone solution (non-integrated). 

How Gravity Payments facilitates PCI-DSS compliance for merchants utilizing integrated payments solutions. 

Your business is boarded with SecureTrust after your first 90 days processing payments with Gravity Payments. 

Since 08/2020, SecureTrust has been Gravity Payments’ preferred vendor for PCI-DSS compliance servicing. SecureTrust takes the stress out of compliance, data privacy and risk management for large enterprises to small businesses. SecureTrust is trusted by Gravity Payments to help you, your customers, and partners defend against cybercrime, and meet compliance requirements. 

Fees:

The following charges can be found on your processing statement.

  • Mandatory annual fees: A $115 PCI Compliance fee provides you access to SecureTrust. 
    • Fee per additional location: $55
  • PCI non-compliance is $19.95 month

Achieving and Maintaining PCI Compliance

1. Self Assessment Questionnaire (SAQ)
Merchants are required to submit a completed SAQ at least once a year. 

There are 9 available SAQs on the PCI Council website, each with different eligibility standards. It’s important that you take the time to read the “Before You Begin” section to make sure you meet all the eligibility requirements, and that you’re completing the correct SAQ. For more information, read page 11 of the  PCI council’s Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines for selecting the SAQ and attestation that best apply to your organization. 

Completing this questionnaire is mandatory to achieve compliance, and your responses must demonstrate that your business complies with PCI-DSS, or you will receive a failing grade. In the unlikely event of a failing grade, reach out to SecureTrust and Gravity Payments, who will help you become compliant. 

Please note: All Gravity Payments integrated payments solutions are designed to the highest security standards. 

2. SecureTrust Vulnerability Scans

SecureTrust runs a scan once a month by default, but is required to scan at least once every 90 days. You will need to log-in to your SecureTrust portal to attest (affirm the accuracy of) your scan. 

How Gravity Payments facilitates PCI-DSS compliance for merchants utilizing non-integrated payments solutions. 

Although Gravity does not penalize merchants for non-compliance, we highly recommend that all merchants processing via IP (internet) become PCI compliant to reduce the risk of a breach. This would include merchants processing over the internet using a terminal, a POS system, or a gateway.

Gravity Payments Breach Protection 

$85/year

PCI compliance greatly mitigates the risk of a data breach, but it can still occur. With Gravity’s new PCI Program, breach protection will be included with the cost of PCI Compliance for all of our merchants. Breach Protection is similar to insurance as it will help cover the costs of fees, penalties and other losses in the event of a breach.

  • Can cover up to 5 locations (MIDs)
  • $100,000 coverage per MID
  • $0 deductible
  • $500,000 maximum per year for Merchants with multiple MIDs enrolled in Breach Protection
  • Covers forensic audit fees, card replacement costs and fines

1. Self Assessment Questionnaire (SAQ)
Every business that accepts credit and debit cards is required to submit a completed SAQ at least once a year. 

There are 9 available SAQs on the PCI Council website, each with different eligibility standards. It’s important that you take the time to read the “Before You Begin” section to make sure you meet all the eligibility requirements, and that you’re completing the correct SAQ. For more information, read page 11 of the  PCI council’s Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines for selecting the SAQ and attestation that best apply to your organization. 

Completing this questionnaire is mandatory to achieve compliance, and your responses must demonstrate that your business complies with PCI-DSS, or you will receive a failing grade. In the unlikely event of a failing grade, reach out to your PCI SSCA Approved Scanning Vendor (ASV) and Gravity Payments, who will help you become compliant. 

Please note: All Gravity Payments integrated payments solutions are designed to the highest security standards. 

2. Completed Attestation of Compliance

The PCI Security Standards Council requires the full completion of the Attestation. This document must be completed by a Qualified Security Assessor (QSA) or merchant (if merchant internal audit performs validation) as a declaration of the merchant’s compliance status with the Payment Card Industry Data Security Standard (PCI DSS). 

3. Vulnerability Scans from a PCI SSCA Approved Scanning Vendor (ASV)

You are required to scan at least once every 90 days with a PCI SSCA Approved Scanning Vendor (ASV), and collect evidence of the result. 

Visit this link for an up-to-date list of Approved Scanning Vendors.

Using SecureTrust

How do I log-in to the SecureTrust Portal?

  1. Navigate to portal.securetrust.com
  2. Login with your username and password supplied by SecureTrust

[!! SCREENSHOT GOES HERE !!]