Merchant compliance with PCI standards
KB article ID:3100
4/6/2012: Revamped per new approach developed with Security Metrics
4/7/2012: Added guidance on SAQ A
4/11/2012: Changed SAQ D to SAQ C-VT, which isn't quite as bad
10/22/2012: Made changes to indicate the way which pcirapidcomply.com operates, as First Data and Co-Card seem to have dumped Security Metrics
4/12/2013: removed all references to Security Metrics and updated the guidance on pcirapidcomply compliance verification
9/20/2013: Added back a reference to SAQ C-VT
10/17/2013: Moved to courtsupport.judici.com without any substantive modification
Mid-June 2014: Added more details on determining your PCI obligations
This is part of the E-Pay Operating Guidelines and the Welcome Packet
DISCLAIMER: This information is provided on an "as-is basis", as of the Last Modified date above. GAL does not warrant that this it is accurate or complete. To be sure of all your obligations, consult your merchant agreement or call the customer service number on your monthly merchant account statement.
What is PCI-DSS?
The PCI-DSS is a standard governing the secure handling of cardholder data such as credit card numbers
Other payment services don't tell me I have to be PCI compliant. Why does Judici?
Other processors may not help you determine whether you're compliant, or fine you if you aren't. But if you ask the right questions to another provider, you will always find that you have to be PCI compliant. It's common sense- if your business accepts credit card payments, the card companies want you to meet security requirements. So if someone gets a virus onto a PC involved with processing credit cards, you will be liable for the resulting data breach.
What if the card transaction is done on the internet?
It doesn't matter- if you use an online service, including Judici, you have PCI obligations... even if you don't use the service at the court!
What are my obligations to be PCI compliant?
Your PCI obligations are represented using a self-assessment questionnaire (SAQ). The SAQs vary in complexity, depending on how you accept card payments.
Where can I find these SAQs?
All of them are available here, on the "SAQs" tab. They go from SAQ A to SAQ D, with each successive SAQ becoming more complicated.
How do I know which SAQ applies to me?
All SAQs have a "Before you Begin" section which describes the conditions in which they are applicable. The following key "big picture" questions about your particular situation, will generally tell you what SAQ applies:
Q: Do you not accept payments at the court?
If you use Judici, but not at the court, SAQ A applies.
A: SAQ A applies, and there aren't many requirements so it's easy. Judici E-Pay courts will use First Data's own PCI compliance website, www.pcirapidcomply.com. See guidance on pcirapidcomply self-assessment [Cnv Google Drive link, but link is dead, https://sites.google.com/a/judici.com/courtsupport/home/media/pcirapidcomply%20SAQ%20questionnaire%2020150716.pdf?attredirects=0&d=1] for notes on the current compliance process.
Q: Do you accept payments at the court, but only using an imprint machines or stand-alone dial-out (non-internet) terminals?
A: SAQ B applies. Again, the requirements are simple.
Q: Do you accept payments at the court, but only by typing (not swiping) card data into a dedicated payment computer accessing only an offsite web page (e.g. using Judici on a kiosk at the court)?
A: SAQ C-VT applies. Specifically, the key requirements listed in the "Before you Begin" section of the SAQ are:
The dedicated computer, isolated in a single location, and not connected to other locations or systems within your environment.
You don't use any kind of swiper. The SAQ requires that the computer: "does not have any attached hardware devices that are used to capture or store cardholder data (for example, there are no card readers attached)"
This SAQ is more complicated than SAQ A, because you or your I.T. staff have to answer some questions to make sure the computer and your network are safe.
Q: Do you accept card payments using a swiper or a payment application running at your court rather than on a web page?
A: SAQ C applies. The key requirement listed in the "Before you Begin" section is:
The payment application system is not connected to any other systems within your environment. Practically speaking, this means that payment counter computers should not be used for other court purposes, such as Imaging/document access, web access or e-mail, including mailing hearing notices.
This SAQ is more complicated than the others described above.
I was notified that I failed a network vulnerability scan. What now?
A Trustwave version of a failed scan report looks like this:
Network scans are only required if you let people use Judici E-Pay in person at the court, on a PC or network which you control. This actually applies to any payment website, unless it uses an card reader with "end-to-end encryption". If people type their card number into your computer, First Data wants to make sure your network is safe so that PC won't get a virus. So you will need to involve your I.T. staff and eventually pass the scans- otherwise you will be non-compliant and subject to fines for that.
If you don't use Judici at the court, you shouldn't be getting network scans. Since they won't talk to Judici about matters regarding your account, you will need to send an e-mail to firstname.lastname@example.org or call them at the number on their website, and tell them that you should not be scanned because you don't let people use Judici E-Pay in person at your place of business on a PC or network which you control.
What happens if I fail to certify that I am PCI compliant?
Judici's processor charges significant monthly fees for failing to certify compliance. The Court is responsible for this particular kind of fee.
Do I have to re-certify compliance each year?
Judici's processor does require this.