Do you need to hire a professional in order to be pci compliant?












1















i run an organic food store, and after a conference call with my credit card service (card connect), do i really have to hire a PCI certified professional once a year in order to be pci compliant? If this is the case, how much does it cost?



Or am I just misreading things, i don't think any "cyber criminal" is going to target my business. NCR Silver handles all my credit card transactions.










share|improve this question























  • ncrsilver.com/what-is-pci-compliance

    – they
    4 hours ago











  • "i don't think any "cyber criminal" is going to target my business." Wow.

    – Joseph Sible
    4 hours ago






  • 1





    To make a more useful comment than Joseph Sible: in the modern world, any business with an online presence of any sort will be targetted by cyber criminals. Many businesses without online presences are still targetted by cyber criminals, despite the reduced attack surface. If you're careful, there can be a big difference between being targetted and being compromised, which is part of what PCI compliance is about - but that's only about protecting credit card info, not your business.

    – Ed Grimm
    3 hours ago













  • @they: so, what your trying to say is that ncrsilver is already pci compliant, and i don't need to hire anyone? This all just seems like a classic case of taxation and racketeering to me.

    – thinksinbinary
    3 hours ago











  • @thinksinbinary: All merchants that takes card payments have to be PCI compliant. Using PCI compliant payment processor doesn't make you PCI Compliant, but they can reduce the scope of your PCI compliance. You still need to do a PCI-SAQ, which is pretty simple to do if you use a processor. Note that PCI compliance isn't law, but if you aren't PCI compliance and you are suspected to cause a data breach, your bank will impose very heavy fines and no banks will allow you to process cards if you're black listed. Completing your PCI compliance reduces your liability if you are involved in a breach.

    – Lie Ryan
    3 hours ago
















1















i run an organic food store, and after a conference call with my credit card service (card connect), do i really have to hire a PCI certified professional once a year in order to be pci compliant? If this is the case, how much does it cost?



Or am I just misreading things, i don't think any "cyber criminal" is going to target my business. NCR Silver handles all my credit card transactions.










share|improve this question























  • ncrsilver.com/what-is-pci-compliance

    – they
    4 hours ago











  • "i don't think any "cyber criminal" is going to target my business." Wow.

    – Joseph Sible
    4 hours ago






  • 1





    To make a more useful comment than Joseph Sible: in the modern world, any business with an online presence of any sort will be targetted by cyber criminals. Many businesses without online presences are still targetted by cyber criminals, despite the reduced attack surface. If you're careful, there can be a big difference between being targetted and being compromised, which is part of what PCI compliance is about - but that's only about protecting credit card info, not your business.

    – Ed Grimm
    3 hours ago













  • @they: so, what your trying to say is that ncrsilver is already pci compliant, and i don't need to hire anyone? This all just seems like a classic case of taxation and racketeering to me.

    – thinksinbinary
    3 hours ago











  • @thinksinbinary: All merchants that takes card payments have to be PCI compliant. Using PCI compliant payment processor doesn't make you PCI Compliant, but they can reduce the scope of your PCI compliance. You still need to do a PCI-SAQ, which is pretty simple to do if you use a processor. Note that PCI compliance isn't law, but if you aren't PCI compliance and you are suspected to cause a data breach, your bank will impose very heavy fines and no banks will allow you to process cards if you're black listed. Completing your PCI compliance reduces your liability if you are involved in a breach.

    – Lie Ryan
    3 hours ago














1












1








1








i run an organic food store, and after a conference call with my credit card service (card connect), do i really have to hire a PCI certified professional once a year in order to be pci compliant? If this is the case, how much does it cost?



Or am I just misreading things, i don't think any "cyber criminal" is going to target my business. NCR Silver handles all my credit card transactions.










share|improve this question














i run an organic food store, and after a conference call with my credit card service (card connect), do i really have to hire a PCI certified professional once a year in order to be pci compliant? If this is the case, how much does it cost?



Or am I just misreading things, i don't think any "cyber criminal" is going to target my business. NCR Silver handles all my credit card transactions.







scam financial






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked 5 hours ago









thinksinbinarythinksinbinary

1104




1104













  • ncrsilver.com/what-is-pci-compliance

    – they
    4 hours ago











  • "i don't think any "cyber criminal" is going to target my business." Wow.

    – Joseph Sible
    4 hours ago






  • 1





    To make a more useful comment than Joseph Sible: in the modern world, any business with an online presence of any sort will be targetted by cyber criminals. Many businesses without online presences are still targetted by cyber criminals, despite the reduced attack surface. If you're careful, there can be a big difference between being targetted and being compromised, which is part of what PCI compliance is about - but that's only about protecting credit card info, not your business.

    – Ed Grimm
    3 hours ago













  • @they: so, what your trying to say is that ncrsilver is already pci compliant, and i don't need to hire anyone? This all just seems like a classic case of taxation and racketeering to me.

    – thinksinbinary
    3 hours ago











  • @thinksinbinary: All merchants that takes card payments have to be PCI compliant. Using PCI compliant payment processor doesn't make you PCI Compliant, but they can reduce the scope of your PCI compliance. You still need to do a PCI-SAQ, which is pretty simple to do if you use a processor. Note that PCI compliance isn't law, but if you aren't PCI compliance and you are suspected to cause a data breach, your bank will impose very heavy fines and no banks will allow you to process cards if you're black listed. Completing your PCI compliance reduces your liability if you are involved in a breach.

    – Lie Ryan
    3 hours ago



















  • ncrsilver.com/what-is-pci-compliance

    – they
    4 hours ago











  • "i don't think any "cyber criminal" is going to target my business." Wow.

    – Joseph Sible
    4 hours ago






  • 1





    To make a more useful comment than Joseph Sible: in the modern world, any business with an online presence of any sort will be targetted by cyber criminals. Many businesses without online presences are still targetted by cyber criminals, despite the reduced attack surface. If you're careful, there can be a big difference between being targetted and being compromised, which is part of what PCI compliance is about - but that's only about protecting credit card info, not your business.

    – Ed Grimm
    3 hours ago













  • @they: so, what your trying to say is that ncrsilver is already pci compliant, and i don't need to hire anyone? This all just seems like a classic case of taxation and racketeering to me.

    – thinksinbinary
    3 hours ago











  • @thinksinbinary: All merchants that takes card payments have to be PCI compliant. Using PCI compliant payment processor doesn't make you PCI Compliant, but they can reduce the scope of your PCI compliance. You still need to do a PCI-SAQ, which is pretty simple to do if you use a processor. Note that PCI compliance isn't law, but if you aren't PCI compliance and you are suspected to cause a data breach, your bank will impose very heavy fines and no banks will allow you to process cards if you're black listed. Completing your PCI compliance reduces your liability if you are involved in a breach.

    – Lie Ryan
    3 hours ago

















ncrsilver.com/what-is-pci-compliance

– they
4 hours ago





ncrsilver.com/what-is-pci-compliance

– they
4 hours ago













"i don't think any "cyber criminal" is going to target my business." Wow.

– Joseph Sible
4 hours ago





"i don't think any "cyber criminal" is going to target my business." Wow.

– Joseph Sible
4 hours ago




1




1





To make a more useful comment than Joseph Sible: in the modern world, any business with an online presence of any sort will be targetted by cyber criminals. Many businesses without online presences are still targetted by cyber criminals, despite the reduced attack surface. If you're careful, there can be a big difference between being targetted and being compromised, which is part of what PCI compliance is about - but that's only about protecting credit card info, not your business.

– Ed Grimm
3 hours ago







To make a more useful comment than Joseph Sible: in the modern world, any business with an online presence of any sort will be targetted by cyber criminals. Many businesses without online presences are still targetted by cyber criminals, despite the reduced attack surface. If you're careful, there can be a big difference between being targetted and being compromised, which is part of what PCI compliance is about - but that's only about protecting credit card info, not your business.

– Ed Grimm
3 hours ago















@they: so, what your trying to say is that ncrsilver is already pci compliant, and i don't need to hire anyone? This all just seems like a classic case of taxation and racketeering to me.

– thinksinbinary
3 hours ago





@they: so, what your trying to say is that ncrsilver is already pci compliant, and i don't need to hire anyone? This all just seems like a classic case of taxation and racketeering to me.

– thinksinbinary
3 hours ago













@thinksinbinary: All merchants that takes card payments have to be PCI compliant. Using PCI compliant payment processor doesn't make you PCI Compliant, but they can reduce the scope of your PCI compliance. You still need to do a PCI-SAQ, which is pretty simple to do if you use a processor. Note that PCI compliance isn't law, but if you aren't PCI compliance and you are suspected to cause a data breach, your bank will impose very heavy fines and no banks will allow you to process cards if you're black listed. Completing your PCI compliance reduces your liability if you are involved in a breach.

– Lie Ryan
3 hours ago





@thinksinbinary: All merchants that takes card payments have to be PCI compliant. Using PCI compliant payment processor doesn't make you PCI Compliant, but they can reduce the scope of your PCI compliance. You still need to do a PCI-SAQ, which is pretty simple to do if you use a processor. Note that PCI compliance isn't law, but if you aren't PCI compliance and you are suspected to cause a data breach, your bank will impose very heavy fines and no banks will allow you to process cards if you're black listed. Completing your PCI compliance reduces your liability if you are involved in a breach.

– Lie Ryan
3 hours ago










2 Answers
2






active

oldest

votes


















4














If you handle credit card numbers, then yes, you have to be certified by a qualified auditor and this certification requires you hiring a PCI auditor.



However, you don't have to handle credit card numbers to be able to receive credit card payments. Instead, most smaller merchants use a PCI compliant payment processor like Stripe or PayPal to process card transactions. This reduces the scope of your PCI compliance signficantly, and you can be PCI compliant by just doing the PCI SAQ (Self Assessment Questionnaire), which you can do yourself without hiring a PCI auditor. Depending on your business type and how you handle card payments, there are different SAQs. The SAQ questionnaires will tell you if you need to actually use an auditor, which is based on the volume of your expected transactions and the mechanism you integrate with your payment processor.



Primarily, you want to outsource as much as possible of your payment processing to the payment processor to reduce your scope and avoid handling card numbers.






share|improve this answer

































    0














    Do you need to be cautious about security?
    If you are using POS(Point of Sale system) a simple reason could be;
    This Machine is simply request the money transfer. The credit card data being transferred to complete the transaction are sensitive and the whole process needs to be PCI (payment )compliance. You might not have online business but it only means less concern. Anyone can be target of cyber criminals in small or large scale and just a matter of time.
    Start with PCI SAQ (Self Assessment Questionnaire) and this should give an idea if you still need a professional to run through that.



    How much does it cost?
    Depends on variable that will affect the overall cost, the size and type of business. The larger the organization, the more potential compliance gaps therefore more costly.






    share|improve this answer























      Your Answer








      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "162"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: false,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      noCode: true, onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });














      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f203670%2fdo-you-need-to-hire-a-professional-in-order-to-be-pci-compliant%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      4














      If you handle credit card numbers, then yes, you have to be certified by a qualified auditor and this certification requires you hiring a PCI auditor.



      However, you don't have to handle credit card numbers to be able to receive credit card payments. Instead, most smaller merchants use a PCI compliant payment processor like Stripe or PayPal to process card transactions. This reduces the scope of your PCI compliance signficantly, and you can be PCI compliant by just doing the PCI SAQ (Self Assessment Questionnaire), which you can do yourself without hiring a PCI auditor. Depending on your business type and how you handle card payments, there are different SAQs. The SAQ questionnaires will tell you if you need to actually use an auditor, which is based on the volume of your expected transactions and the mechanism you integrate with your payment processor.



      Primarily, you want to outsource as much as possible of your payment processing to the payment processor to reduce your scope and avoid handling card numbers.






      share|improve this answer






























        4














        If you handle credit card numbers, then yes, you have to be certified by a qualified auditor and this certification requires you hiring a PCI auditor.



        However, you don't have to handle credit card numbers to be able to receive credit card payments. Instead, most smaller merchants use a PCI compliant payment processor like Stripe or PayPal to process card transactions. This reduces the scope of your PCI compliance signficantly, and you can be PCI compliant by just doing the PCI SAQ (Self Assessment Questionnaire), which you can do yourself without hiring a PCI auditor. Depending on your business type and how you handle card payments, there are different SAQs. The SAQ questionnaires will tell you if you need to actually use an auditor, which is based on the volume of your expected transactions and the mechanism you integrate with your payment processor.



        Primarily, you want to outsource as much as possible of your payment processing to the payment processor to reduce your scope and avoid handling card numbers.






        share|improve this answer




























          4












          4








          4







          If you handle credit card numbers, then yes, you have to be certified by a qualified auditor and this certification requires you hiring a PCI auditor.



          However, you don't have to handle credit card numbers to be able to receive credit card payments. Instead, most smaller merchants use a PCI compliant payment processor like Stripe or PayPal to process card transactions. This reduces the scope of your PCI compliance signficantly, and you can be PCI compliant by just doing the PCI SAQ (Self Assessment Questionnaire), which you can do yourself without hiring a PCI auditor. Depending on your business type and how you handle card payments, there are different SAQs. The SAQ questionnaires will tell you if you need to actually use an auditor, which is based on the volume of your expected transactions and the mechanism you integrate with your payment processor.



          Primarily, you want to outsource as much as possible of your payment processing to the payment processor to reduce your scope and avoid handling card numbers.






          share|improve this answer















          If you handle credit card numbers, then yes, you have to be certified by a qualified auditor and this certification requires you hiring a PCI auditor.



          However, you don't have to handle credit card numbers to be able to receive credit card payments. Instead, most smaller merchants use a PCI compliant payment processor like Stripe or PayPal to process card transactions. This reduces the scope of your PCI compliance signficantly, and you can be PCI compliant by just doing the PCI SAQ (Self Assessment Questionnaire), which you can do yourself without hiring a PCI auditor. Depending on your business type and how you handle card payments, there are different SAQs. The SAQ questionnaires will tell you if you need to actually use an auditor, which is based on the volume of your expected transactions and the mechanism you integrate with your payment processor.



          Primarily, you want to outsource as much as possible of your payment processing to the payment processor to reduce your scope and avoid handling card numbers.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited 3 hours ago

























          answered 4 hours ago









          Lie RyanLie Ryan

          23.1k34976




          23.1k34976

























              0














              Do you need to be cautious about security?
              If you are using POS(Point of Sale system) a simple reason could be;
              This Machine is simply request the money transfer. The credit card data being transferred to complete the transaction are sensitive and the whole process needs to be PCI (payment )compliance. You might not have online business but it only means less concern. Anyone can be target of cyber criminals in small or large scale and just a matter of time.
              Start with PCI SAQ (Self Assessment Questionnaire) and this should give an idea if you still need a professional to run through that.



              How much does it cost?
              Depends on variable that will affect the overall cost, the size and type of business. The larger the organization, the more potential compliance gaps therefore more costly.






              share|improve this answer




























                0














                Do you need to be cautious about security?
                If you are using POS(Point of Sale system) a simple reason could be;
                This Machine is simply request the money transfer. The credit card data being transferred to complete the transaction are sensitive and the whole process needs to be PCI (payment )compliance. You might not have online business but it only means less concern. Anyone can be target of cyber criminals in small or large scale and just a matter of time.
                Start with PCI SAQ (Self Assessment Questionnaire) and this should give an idea if you still need a professional to run through that.



                How much does it cost?
                Depends on variable that will affect the overall cost, the size and type of business. The larger the organization, the more potential compliance gaps therefore more costly.






                share|improve this answer


























                  0












                  0








                  0







                  Do you need to be cautious about security?
                  If you are using POS(Point of Sale system) a simple reason could be;
                  This Machine is simply request the money transfer. The credit card data being transferred to complete the transaction are sensitive and the whole process needs to be PCI (payment )compliance. You might not have online business but it only means less concern. Anyone can be target of cyber criminals in small or large scale and just a matter of time.
                  Start with PCI SAQ (Self Assessment Questionnaire) and this should give an idea if you still need a professional to run through that.



                  How much does it cost?
                  Depends on variable that will affect the overall cost, the size and type of business. The larger the organization, the more potential compliance gaps therefore more costly.






                  share|improve this answer













                  Do you need to be cautious about security?
                  If you are using POS(Point of Sale system) a simple reason could be;
                  This Machine is simply request the money transfer. The credit card data being transferred to complete the transaction are sensitive and the whole process needs to be PCI (payment )compliance. You might not have online business but it only means less concern. Anyone can be target of cyber criminals in small or large scale and just a matter of time.
                  Start with PCI SAQ (Self Assessment Questionnaire) and this should give an idea if you still need a professional to run through that.



                  How much does it cost?
                  Depends on variable that will affect the overall cost, the size and type of business. The larger the organization, the more potential compliance gaps therefore more costly.







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered 1 hour ago









                  VcodeVcode

                  453128




                  453128






























                      draft saved

                      draft discarded




















































                      Thanks for contributing an answer to Information Security Stack Exchange!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f203670%2fdo-you-need-to-hire-a-professional-in-order-to-be-pci-compliant%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      Knooppunt Holsloot

                      Altaar (religie)

                      Gregoriusmis