As a grocery retailer who’s always taken the steps to stay PCI compliant, you may think you’ve done everything you need. But that might not be enough to protect you and your customers. Did you know that even if you’ve taken every precaution, you could still be at risk? That’s because anyone who touches the environment where customer payments are handled must also be PCI compliant—including your resellers and technology providers.
PCI, of course, is the Payment Card Industry’s set of policies and standards intended to protect credit, debit, and cash card transactions, as well as to prevent misuse of the cardholder’s personal information.
How can you find out if you are working with PCI certified vendors? Here are six important questions to ask to verify their level of compliance and ensure they’re taking the proper steps to protect the safety of your customers and business.
Do you have a Report on Compliance?
The most important piece of information you should ask for is your technology provider’s Report on Compliance (ROC). If they’ve had an audit or done a self-assessment and met all the PCI guidelines for the stores they support, it will be documented in the ROC.
Any reseller who connects to your system to take care of your cash registers and point of sale software must be PCI compliant to the same level as you, the grocery retailer.
What is your level of compliance?
This is the second most important question to ask about your reseller’s level of PCI compliance. The four levels of merchants, based on the number of annual transactions are:
- Level 1 merchants have over 6 million transactions.
- Level 2 merchants have between 1 and 6 million transactions.
- Level 3 merchants have between 20,000 and 1 million transactions.
- Level 4 merchants have less than 20,000 transactions.
Technology providers must meet the same level of PCI compliance as their customers, even if they’re not directly handling the payments themselves. Therefore, if a reseller services Level 1 grocery retailers, they must also be a Level 1 PCI compliant service provider.
Do you have a QIR program?
The Qualified Integrator and Reseller program, or QIR, is an organization authorized by the PCI Security Standards Council (PCI SSC). QIR members have received training on the principles and procedures for installing and maintaining secure payment applications, and they must renew that training each year.
By being a QIR member, technology providers are stating they know and follow PCI best practices and guidelines in securely implementing and deploying systems. Most credit card processors mandate that customers use a QIR when deploying systems, and many keep a list of PCI DSS compliant service providers. All QIR members who maintain current QIR training are listed on the PCI SSC website.
What are your internal training programs around security?
A technology provider’s ROC should report the types of security training and refresher programs its staff must take to support your retail customer systems, and it should provide records that this training has been completed. But, while not explicitly required for PCI compliance, a good provider will also have an internal training program that augments the required curricula. This shows the provider is even more dedicated to keeping your customers’ data safe by training their employees above and beyond the minimum requirements.
Do you have a dedicated security team member or internal security department that makes sure your systems are up to date?
A good reseller will have a dedicated department or team member who is the go-to person on security. They are the person responsible for security processes and policies and for keeping systems up to date. They also make sure the company itself follows PCI best practices, not just for the impacted network, but for all systems within the company. Companies that have a dedicated security team show that they’re committed to doing more than just the bare minimum.
Are you active in any PCI Security Standards Council organizations or other groups?
Resellers can keep abreast of what’s going on in the PCI world by joining a variety of PCI SSC and other industry organizations. These organization are dedicated to keeping members current on the evolving PCI rules and standards. Resellers that are active in the PCI community show that they are current on the regulations, receive notices of changes, and are often made aware of upcoming changes to the guidelines before they go into effect.
Participation in these organizations also gives resellers a chance to network with providers in other verticals and leaders in the PCI world. By staying current with what’s going on in the world of PCI compliance today, as well as what is on the horizon, a retail technology provider can better protect its customers.
So whether you’re considering a new retail technology provider or just giving your existing provider an annual checkup, keep these questions handy. They’ll help make sure your PCI compliance is up-to-date and your business and customer payment data are secure.
Want PCI compliance peace of mind? TRUNO is a Level 1 PCI compliant service provider that can handle all your security needs.