FAQ - Payment Card Industry (PCI)

 

For additional information, or if you need assistance with PCI Compliance, please reach out to:

Bill Rorick
President
Bill Rorick (IPS) <Bill.Rorick@innovantageps.com>
+1 (714) 461-2768

 

Q1 - Is your device PCI certified?

A - Some are and some aren’t. Please check with our Sales team for detail

Q2 - If your device is not PCI certified, can I still have a PCI compliant system?

A - Yes, the device doesn’t have to be PCI certified to be used in a secure and PCI compliant system. For “Validated” P2PE applications, the device does need to be PCI certified.  

Q3 - Using your payment system and path as described, am I in PCI scope?

A - Based on past experience a payment system using our encrypting reader and payment path would put the merchant out of PCI scope since their system never sees, stores, or transmits, sensitive card data in the clear. If our reader doesn’t have its own internet access, then the merchant’s system is basically just a conduit or cable to allow us to send the encrypted data out, and PCI doesn’t certify cables.  Since the merchant doesn’t have the encryption key there is also no way for them to decrypt the data. This is based on many similar projects and PCI rulings in the past. If the merchant wants an official PCI statement that they are out of scope, they would need to get it from a PCI auditor.

Q4 - Do I have to go get a PCI auditor to review and certify my system before I can accept credit cards?

A - No, we provide merchants with a secure and L3 certified payment solution that is acceptable for taking credit card payments. The processor will typically charge the merchant a monthly PCI fee if they do not provide evidence that they are either PCI compliant or out of PCI scope. 

Q5 - How much does a processor charge me if I cannot show that I am either out of PCI scope or compliant?

A - These costs vary by processor, but a merchant with a system that has not been verified as compliant will typically be charged a PCI fee of about $100.00 per month

Q6 - Can the processor help me gain PCI Compliance?

A - Yes, nearly all major processors have a compliance team or partner that will review the merchant’s payment system online or on the phone and allow them to self-certify their compliance. In this case they will also do regular checks of the merchant’s system to make sure they remain PCI compliant. The fees for this service vary by processor but typically run in the range of $10.00 - $15.00 per month. This replaces the $100.00 fee mentioned in question 5

Q7 - Do you have a P2PE solution?

A - ID TECH does offer a “Validated” PCI P2PE solution. This “validated” solution does add a lot of cost and also adds some responsibility for device tracking and monitoring onto the merchant. ID TECH’s standard solution is not P2PE “validated” but does encrypt the sensitive card data at the time of capture inside the card reading device and it remains encrypted from point to point as it moves through the payment process. This is generally considered a secure solution and is the most common method of providing a secure and PCI compliant payment solution.  

Q8 - What security features does your path include? 

A - ID TECH encrypts the sensitive card data inside the card reader as it is captured by a swipe, insert, or tap of the card. We use TDES or AES encryption with a DUKPT key management scheme. DUKPT = Derived Unique Key Per Transaction. 

 

Other PCI Related Articles on KnowledgeBase:

What is PCI?
What is PCI DSS?
PCI DSS - 13 Guidelines
Why “Can you sell me a PCI DSS Certified Reader?” is the wrong question?