Here are the top 5 PCI questions we get from franchisers and franchisees about PCI compliance.
Navigating the intricacies of PCI compliance can be a daunting task, especially when your business evolves or adopts new technologies. It's essential to stay informed about how these changes impact your PCI compliance responsibilities to avoid potential pitfalls and security risks. In this blog, we address common questions franchisers ask surrounding PCI compliance.
Q. If I use an expired P2PE solution do I still get to do the SAQ P2PE?
A. No, an expired P2PE solution does not qualify for the SAQ P2PE, however you would qualify
for the SAQ B-IP set of requirements.
Q. If I add a tablet for servers to use to take orders how does that change my PCI compliance
responsibility?
A. It depends, if you have a P2PE validated solution that includes the tablet in that solution,
then your responsibility doesn’t change. However, if you have a P2PE card data flow and adding that tablet now gives you a separate SAQ B-IP/SAQ C-VT card data flow, then you have
additional requirements to fulfill.
Q. If I use a bank provided payment solution that gives me scope reduction but is not PCI-
validated, do I have to do the requirements in the PCI SAQ that fits my card data flows or do I
do the PCI requirements that my bank says I have to do?
A. You do the requirements that your bank says you have to do, with the understanding that
you’re using a non-validated solution.
Q. Does being PCI compliant mean that my franchise is secure?
A. No. You need to assess all the risks and determine what security controls are appropriate.
Some franchises may get hacked and while the cardholder data is secure the point of sale
machines may be so compromised that you are unable to take orders.
Q. If I add an order pickup service and ordering solution to my store, how does that affect my
PCI compliance responsibility?
A. This depends on two things, 1) whose merchant ID is the on the transaction and 2) is the
customer making the order themselves on their own device? If the merchant ID is another
entity who periodically cuts you a check for the orders through their system then the
compliance burden is theirs and adding their solution does not increase your compliance
burden. If the service uses your merchant ID then you need to look at how the customer enters
the cardholder data, whether it is entered on the customer personal device such as a cell phone
app or if it is entered through a website that anyone can access. If it’s entered on a personal
device such as a cell phone app then according to PCI SSC FAQ Article 1283 “The consumer’s
environment in which the application runs is outside the scope of PCI DSS…”. If the cardholder
data is entered on a website that is publicly accessible then that is an e-commerce card data
flow that will require you to do either the SAQ A, SAQ A-EP or SAQ D Merchant PCI
requirements for that card data flow.
Staying PCI compliant is an ongoing journey, and adapting to the evolving landscape of your business is crucial. As we've explored in this blog, even seemingly minor changes, like adding new technologies or services, can have significant implications for your compliance requirements. Remember, compliance is just one piece of the puzzle; assessing risks and implementing appropriate security controls are equally vital to safeguard your operations effectively.
.svg)
