The card associations require that all merchants validate PCI DSS compliance
PCI DSS 3.0 is here. (What is PCI DSS?)
ControlScan is a prepaid service to Vantage clients become PCI compliant.
Vantage has partnered with ControlScan, an Approved Scanning Vendor (ASV) by the PCI Council and leading provider of security solutions, to provide personalized support to help simplify the PCI compliance process and to help our clients better understand the security requirements. The ControlScan system wizard will help you complete the Self Assessment Questionnaire (SAQ) and provides a help desk where representatives can address any questions you may have about the PCI complaince process.
Avoid PCI Non-Compliant penalties. Following these steps:
- Go to www.controlscan.com/vantagecard
- Enter your merchant ID as your username (note your merchant ID starts with 878821000xxxx)
- Enter this generic one-time password, vantage123 (you will change your password once logged in)
- Follow the wizard to complete your PCI validation and print your Compliance Certificate for display at your business.
READ this BEFORE YOU START
It is important to select the right SAQ that best applies to your organization (SAQ A has fewest questions, SAQ D has the most questions). If you are unsure, please contact us first to discuss before you start the process.
- Phone Line - SAQ B
- Internet - SAQ B-IP
- Cellular wireless - SAQ B
- Manual Entry – SAQ C-VT
- Card Reader – SAQ C
- Encrypted Card Reader – SAQ C (requires scanning)
Point of Sale (POS) Systems
- POS System Processing - SAQ C (requires scanning)
Note: If your payment process uses a hosted checkout page, then select Shopping Cart as the processing method and then select Outsourced. This selection will direct you to complete SAQ A since you are not electronically capturing and transmitting card information.
- Entire Internet Presence Outsourced - SAQ A
- Payment Page Entirely Outsourced - SAQ A-EP
- Payment Page Partially Outsourced - SAQ A-EP (requires scanning)
- Direct Post - SAQ A-EP
- Not Outsourced - - SAQ D (requires scanning)
- Phone / Paper processing - SAQ B
- Smartphone/Tablet connected via WiFi – SAQ B-IP (requires scanning)
- Smartphone/Tablet connected via cellular wireless – SAQ B
Point to Point Encryption
- Select this method if you process cardholder data ONLY with a hardware payment terminal that is part of a PCI SSC Approved Point to Point Encryption Solution. – SAQ C (requires scanning)
Important Note on SAQ D
If you are storing card information electronically on your internal systems, you are required to complete the most complex SAQ D (requires scanning) no matter what processing method was selected above. Therefore if you are storing card data, you should contact us right away to discuss payment solutions that meet your needs while eliminating both the risk and compliance headaches that doing so creates.
Setting up your Scan
Once you have completed your PCI Self Assessment Questionnaire (SAQ) you may find that your business requires vulnerability scanning. The scan is non-intrusive and does not invade your network while running.
- Merchants that process using a mag stripe swipe device connected to an internet connection, will need to complete SAQ C and achieve a compliant scan on a quarterly basis to be considered overall PCI Compliant.
Once you complete the SAQ C, look for the scanning icon to appear within your compliance overview box on the home page. Within the scanning icon, there will be a link to the scan setup page.
- You will need to provide your public facing IP address to be scanned. Please note that if you are using a computer at the location where you accept card payments (on the same network), then you can see your public facing IP address as listed in the top right corner of the "Schedule a Scan" setup page (pictured below). Your public facing IP address can also be retrieved by visiting http://www.whatismyip.com/ on a computer that resides on the same network that you process card payments on.
- Once retrieved, enter the IP on the scan setup page, select the date and time you would like the scan to run and click submit. Note: Even though the scans are typically non invasive, it is recommended that your schedule your scan be run during non-business hours. If a scan needs to be scheduled during business hours it is recommended that you contact Control Scan and request that they schedule the scan at a slower speed.
- Enter an email address that you would like all scan notifications to send to (notifications that the scan started, scan completed, etc.).
If you need personal assistance, call ControlScan at 800-370-9180 or contact Vantage client services at 800-397-2380.
The $100K PCI Protection Program is included in ControlScan services Vantage provides to merchants is designed to cover expenses associated with contractual liability between the merchant and the payment card industry. Covered losses under this program are: forensic examination mandated by the card brand, fines / assessments levied by the card brand as a result of a breach, software and hardware upgrades mandated by the card brand as a result of a breach in lieu of a fine. See the attached brochure for more information.
Vantage Merchants may pull proof of insurance from the carrier using the below link:
PCI Compliance Notes
Merchants may choose to complete an SAQ on their own and can work with any PCI vendor they choose should a system scan be required. Vantage provides the ControlScan service to help our clients meet PCI compliance at a reasonable price. Merchants can opt out of using the ControlScan service, by providing a copy of their PCI Validation certificate with an alternative vendor.
Every merchant is different, some are a greater risk than others. For example, only those merchants conducting payment processing over the internet (verses dial up connections) require a system scan. As a market leader in PCI compliance, ControlScan will help your business achieve and maintain PCI compliance with the SAQ and vulnerability system scanning (Scan), both designed to uncover security gaps and provide best practices to prevent data compromise. Additional tools include a Security Policy Builder and an Internal Security Awareness training program.
Please remember, there is a difference between security and compliance. While PCI compliance is a mandated point-in-time measurement of your security readiness, the underlying security requirements must be adhered to on a daily basis. In the event of a data compromise, merchants face significant fees and fines. The PCI DSS Validation does not affect your responsibilities associated with your merchant account in the event of a data compromise.