UNDERSTANDING PCI COMPLIANCE

Just a Few Easy Steps and You’re Compliant:• Ourprogramgivesyouaccesstoasimpleonlinequestionnairethatwillhelpensurethat

youarecompliant;• WesendproofofyourcompliancetotheCardAssociationswhenyouhavesuccessfully

completedthequestionnaire;and• WeprovideFREEquarterlyorannualnetworkvulnerabilityscansshouldyouberequired

bytheCardAssociationstoconductthem.

ThePCISecurityStandardswebsite,www.pcisecuritystandards.org,explainsthecertificationprocessandlistsapprovedQSAs.

Please refer to the instructions on the next page for help navigating through the required Self-Assessment Questionnaire (SAQ). We’ve also included a graphical navigation guide on pages 3 - 11 for additional help.

Toprotectthedatasecurityofyourbusinessandyourcustomers,thecreditcardindustryintroduceduniformPaymentCardIndustryDataSecurityStandards(PCIDSS).

Thesestandardsrequireallmerchantsacceptingcreditanddebitcardstoprovideannualproofthatyouarecompliantwithindustryregulations.

Participation in a certified PCI DSS compliance program is required of every merchant, for every MID, regardless of your bank or processor. Non-compliance can result in costly fees and the boosted threat of a security breach.

Fortunately,wemakeiteasyforyoucomplywithallPCImandates.Soyoucanmeetindustryregulations,protectyourcardholderdataandprotectyourfinancialresources,allwithonesimpleprogram.

- continued -

PCI COMPLIANCE IS NO LONGER OPTIONAL

YOUR PARTICIPATION IS MANDATORY

Page 1

Complete These Simple Steps to Certify Compliance: 1. AccessthefollowingURL,onorafter April 1, 2015, through your web browser:https://www.mybackofficetools.com/

Please note: Themybackofficetools.comlinkwilltakeyoutoVIMAS,aninteractivetoolthatwillhelpyounavigatetotheSelf-AssessmentQuestionnaire.Ifyouareafirst-timeVIMASuser,yourtemporaryusernameisyourfullMerchantIDNumber(MID)andyourtemporarypasswordisCynxxxx,wherethex’sarethelastfourdigitsofyourSocialSecurityNumber;forinstance,ifthelastfourdigitsofyourSSNis“1234,”thepasswordwouldbeCyn1234.Onceloggedin,youwillbepromptedtocreateapasswordofyourchoice.

2. Afterloggingin,alinktothe“MerchantPCIComplianceProgram”canbefoundinthe“Extras/Priorities”boxintheupperrighthandcornerofyourscreen.

3. Clickthe“MerchantPCIComplianceProgram”hyperlink.

4. Youwillbetakentoamainmenu.Clickthe“ViewRegistrationInformation”hyperlink.It is very important to ensureyour email address is correct so that you can receive all PCI status and confirmation emails. Ifyourinformationisnotcorrect,pleaseclickthe“MerchantProfile”menuatthetop.Thenclick“MerchantAddress”.Then,intheemailbox,typeinyourcorrectemailaddress.ClickSave.

5. Clickthe“Begin/ResumePCIQuestionnaire”hyperlink.

6. Youwillbepromptedtoanswersixsimple“yesorno”questionsaboutyourprocessingenvironment.

7. Whenyouhaveansweredallsixquestions,a“ReviewQuestionnaire”screenwillloadwhereyoucaneitheredityouranswersorbegintheSelf-AssessmentQuestionnaire(SAQ)byclickingthe“BeginTest”button.

8. IfyouchoosetocompletetheSAQatanothertime,ormuststopforanyreasonandaccessthesystemlater,youcanaccesstheSAQbyclickingthe“Begin/ResumePCIQuestionnaire”buttononthePCImainmenu.

9. CompletetheSAQ.Whenyouhavefinished,youwillbeaskedtoattesttotheinformationyouhaveentered,andyouwillbeabletoprintyourvalidationofcompliance.

10. VERY IMPORTANT:Pleaseprintthevalidationyoureceiveforyourrecordsandkeepitinasafeplace.ThiswillserveasproofthatyouhavesuccessfullycompletedtheSAQ.

NOTE: Completion of the SAQ is required prior to May 29, 2015, to avoid being assessed a monthly non compliance fee until certification is proven. If you are already certified for 2015 from an approved ASV/QSA, you must submit your certification of compliance prior to April 29, 2015, to avoid being billed the annual PCI compliance fee.

You may submit your proof in one of the following ways:>>Byfaxto718.559.4822(keepacopyofyoursuccessfulfaxtransmissionreceipt)>>Bymail(returnreceiptrequested)to:

CertificationmustbecompletedeveryyearforeveryoneofyourMIDs.Formoreinformation,pleasecallthenumberlistedinyourletter.

UNDERSTANDING PCI COMPLIANCE

Please print your validation for your records and keep it in a safe place. This validation serves as proof that you have successfully completed the required SAQ.

Processing Center Customer Service P.O. Box 246Alpharetta, GA 30009-0246

Page 2

UNDERSTANDING PCI COMPLIANCE

First Time VIMAS Users:• Accessthislink:https://www.mybackofficetools.com• LoginusingyourfullMerchantIDNumber(MID)astheUsername• YourtemporarypasswordisCynfollowedbythelastfourdigitsof

yourSocialSecurityNumber;e.g.,Cyn1234

Returning Users:• LogintoVIMASusingyournormalprocedures• Ifyouneedtoresetyourpasswordthesystemwillautomatically

promptyou.Simplykeyyournewpasswordinbothfieldsandclick“Renew”.Note:Th e“Reset”buttonistoclearfieldsifyoumakeanerrorwhenkeyingyournewpassword.

- continued -

STEPS TO COMPLETE SELF-ASSESSMENT QUESTIONNAIRE

STEP 1: Log Into VIMAS

Page 3

UNDERSTANDING PCI COMPLIANCE

ClicktheMerchantPCIComplianceProgramhyperlink(thethirdhyperlinkunder“Extras/Priorities”box)toaccessthemainmenuoftheSelf-AssessmentQuestion-naire(SAQ).

- continued -

STEPS TO COMPLETE SELF-ASSESSMENT QUESTIONNAIRE

ClicktheView Registration Informationhyperlink

STEP 2: Launch the PCI Questionnaire

STEP 3: View Your Registration Information

Page 4

UNDERSTANDING PCI COMPLIANCE

Reviewtheinformationonthisscreen,toconfirmthatyourcontactinformation,includingyouremailaddress,isaccurate.

Ifyourinformationisnotcorrect,pleaseclickthe“MerchantProfile”menuatthetop.Thenclick“MerchantAddress”.Then,intheemailbox,typeinyourcorrectemailaddress.

ThenclickSave.

Onceyouhavereviewedyourinformation,thenclickReturn to Main Menu.

- continued -

STEPS TO COMPLETE

SELF-ASSESSMENT QUESTIONNAIRE

STEP 4: Review Your Contact Information

Page 5

UNDERSTANDING PCI COMPLIANCE

ClicktheBegin/Resume PCI Questionnaire hyperlink.

- continued -

STEPS TO COMPLETE SELF-ASSESSMENT QUESTIONNAIRE

Youwillbebepromptedtoansweraseriesofsix“yes”or“no”questionsaboutyourprocessingenvironment.Clicking“Yes”or“No”automaticallynavigatesyoutothenext

screen.PleasenotethatyoumustanswerallquestionsbeforeyoucanbegintheSelfAssessmentQuestionnaire(SAQ).

STEP 5: Begin/Resume PCI Questionnaire

Six Preliminary Questions Will Appear

Page 6

UNDERSTANDING PCI COMPLIANCE

- continued -

STEPS TO COMPLETE SELF-ASSESSMENT QUESTIONNAIRE

Ifyouneedtoeditananswer,simplychecktheapplicableboxandclicktheEdit Answers button.Ifallanswersarecorrect,clicktheBegin Testbutton.

Then,theSelfAssessmentQuestionnairewillload.Youmustanswerallquestionsinordertocompletethequestionnaireandcertifyyourvalidationofcompliance.Ifyouneedtostopforanyreason,yourpreviousanswerswillbesaved.YoucanthenlogbackintoVIMASata

latertimeandclicktheBegin/Resume PCI Questionnairelinktofinish.

STEP 6: Confirm Preliminary Information Questions

Page 7

UNDERSTANDING PCI COMPLIANCE

- continued -

STEPS TO COMPLETE SELF-ASSESSMENT QUESTIONNAIRE

A screen will load with a “Confirm Attestations” link.

YoumustcheckeachcheckboxtoattestthatyouhavecompletedtheSelfAssessmentQuestionnaire(SAQ).Then,fillintherequiredfields(ExecutiveName,ExecutiveTitleand

E-mail),andclicktheConfirm Attestations button.

Please print and keep a copy of this page for your records.

STEP 7: Complete Attestation

Page 8

UNDERSTANDING PCI COMPLIANCE

- continued -

STEPS TO COMPLETE SELF-ASSESSMENT QUESTIONNAIRE

Important: IfyouarechosentocompleteSAQC,you’veindicatedthatyouhaveawebsiteorpaymentapplicationthatisattachedtotheInternet.UnderPCIregulations,ascanofyourwebsiteorapplicationonaquarterlybasisisrequired.

Pleaseexpectanemailfromdonotreply@mybackofficetools.com.Thisemailwillcon-tainlogincredentialstotheComodowebsite,whereyoumustcompleteyourrequiredscan.YouwillalsoreceiveanemailfromComodo(noreply_support@comodo.com),within48businesshourswithadditionalinstructions.

If you do not receive either of the two emails above, please contact the customer support number listed in your merchant PCI letter.

For SAQ C: This Screen Appears

Page 9

UNDERSTANDING PCI COMPLIANCE

- continued -

STEPS TO COMPLETE SELF-ASSESSMENT QUESTIONNAIRE

Important: If you are chosen to complete SAQ D, please ensure you read the instructions carefully.

NOTE: Onlyhostingorserviceproviders(suchasshoppingcartproviders)shouldcompletethisSAQandarequirednetworkscan.

For SAQ D: This Screen Appears

Page 10

UNDERSTANDING PCI COMPLIANCE

- continued -

STEPS TO COMPLETE SELF-ASSESSMENT QUESTIONNAIRE

Important: Although you completed the SAQ, you will be required to perform a scan.

Pleaseexpectanemailfromdonotreply@mybackofficetools.com.ThisemailwillcontainlogincredentialstotheComodowebsite,whereyoumustcompleteyourrequiredscan.YouwillalsoreceiveanemailfromComodo(noreply_support@comodo.com),within48businesshourswithadditionalinstructions.

If you do not receive either of the two emails above, please contact the customer support number listed in your merchant PCI letter.

FOR SAQ D Important: Required Scan Information

Page 11

UNDERSTANDING PCI COMPLIANCE

- continued -

ThE TWELVE BASIC STEPS TO AChIEVING PCI COMPLIANCE

For more information, visit the PCI Security Standards Council website at https://www.pcisecuritystandards.org.

Goals PCI DSS Requirements

Build and Maintain a Secure Network 1. Installandmaintainafirewallconfigurationtoprotectcardholderdata

2. Donotusevendor-supplieddefaultsforsystempasswordsandothersecurityparameters

Protect Cardholder Data 3. Protectstoreddata4. Encrypttransmissionofcardholderdataacross

open,publicnetworksMaintain a Vulnerability Management Pro-gram

5. Useandregularlyupdateanti-virussoftware6. Developandmaintainsecuresystemsand

applicationsImplement Strong Access Control Mea-sures

7. Restrictaccesstocardholderdatabybusinessneed-to-know

8. AssignauniqueIDtoeachpersonwithcomputeraccess

9. RestrictphysicalaccesstocardholderdataRegularly Monitor and Test Networks 10. Trackandmonitorallaccesstonetwork

resourcesandcardholderdata11. Regularlytestsecuritysystemsandprocesses

Maintain an Information Security Policy 12. Maintainapolicythataddressesinformationsecurity

PCIDSSrequirementsareglobaldatasecuritystandardsthatanybusinessofanysizemustadheretoinordertoacceptpaymentcards,andtostore,processand/ortransmitcardholderdata.

Payment Card Industry Data Security Standard (PCI DSS) Requirements

Page 12

UNDERSTANDING PCI COMPLIANCE

- continued -

MERChANT PCI COMPLIANCE PROGRAM

Q: What is the ‘PCI DSS’?A:PCIDSSstandsfor“PaymentCardIndustryDataSecurityStandards”andrepresentsasetofsecurityrequirementscreatedbythePaymentCardIndustry,layingoutwhatMerchantsneedtodotoprotectcustomerinformation.ThePCICouncilrequiresthatMerchantsmeetthissetofsecurityrequirementsiftheirbusinessaccepts,transmits,orprocessescustomerpaymentcards(suchascreditcardsordebitcards).Merchantsthatdonotcomplywiththeserequirements,arenon-compliant,inviolationofthecardbrandrules,andcanbeeasilybreachedinanumberofways.Theconsequencesfornon-compliancearesevere;thepaymentbrandsmay,attheirdiscretion,imposefinesandpenaltiesataminimumof$5,000forasingledatabreach.Plus,merchantsriskhavingtheircard-processingprivilegesrevoked,leavingthemunabletoacceptcustomerpay-mentcards.Allofthiscollectivelyresultsinalossofrevenue.FormoreinformationaboutPCIDSS,pleasevisithttps://www.pcisecuritystandards.org/

Q: To whom does PCI apply?A:PCIappliestoALLorganizationsormerchants,regardlessofsize,thataccept,transmit,orstoreanypaymentcardinformation.

Q: What do I have to do in order to satisfy the PCI requirements?A:TosatisfytherequirementsofPCI,allmerchantsmustcompletethesesteps:NOTE:PleaseseedefinitionsofMerchantLevelsinthequestionbelowthisone.

• Level1merchantsmustcompleteanannualOnsiteassessmentbyaPCISSCapprovedQualifiedSecurityAssessor(QSA),plusanAttestationofCompliancefromaReportonCompliance(ROC),plusaQuarterlyNetworkScan.

• Level2,3,and4merchantsmustcompleteanannualself-assessmentquestionnaire(“SAQ”),aquarterlynetworkscan.NotethatthisonlyappliestomerchantswithexternallyfacingIPaddresses;e.g.,e-Commercemerchantsormerchantswhoutilizeapaymentgateway/shoppingcart),byanApprovedScanningVendor(“ASV”),andcompleteanAttestationofCompliance.

• Completetheappropriateversion(currentlyA,B,C,CVTorD)oftheSAQinaccordancewiththePCISecurityCouncil’sguidelines.

• Allmerchantswhoarealreadycertifiedfor2015, or whose certificate of compliance is not due to expireMUSTsubmitproofofcomplianceby April 29 , 2015, via one of the following methods:

• By mail: Processing Center Customer Service

P.O. Box 246 Alpharetta, GA 30009-0246

• By Fax:Attention:CustomerService,at718.559.4822• AllmerchantsmustbePCIDSScompliantandusePA-DSS(PaymentApplicationDataSecurityStandards)

compliantapplications.

Frequently Asked Questions

Page 13

- continued -

UNDERSTANDING PCI COMPLIANCE

- continued -

MERChANT PCI COMPLIANCE PROGRAM

Q: How are the different Merchant Levels defined?A: The following table defines the levels:

1 • AnyMerchantthatprocessesover6millionVisaorMasterCardtransactionsperyear(regardlessofwhetherthetransactionsaree-Commerceornot),OR

• AnyMerchantthatisdeclaredtobeLevel1byanyCardAssociation• AnyMerchantthathassufferedasecurityincidentorattackthatresultedinanaccount

datacompromise2 • AnyMerchantprocessing1millionto6millionVisaorMasterCardtransactionsperyear.3 • AnyMerchantprocessing20,000to1millionVisaorMasterCarde-Commercetransactions

peryear.4 • Anymerchantprocessingfewerthan20,000Visae-Commercetransactionsperyear,andallother

merchantsprocessingfewerthan1milliontransactionsperyear.

Q: What is the Self-Assessment Questionnaire (SAQ)? A: The PCI DSS SAQ is a validation tool for merchants to assist in self-evaluating compliance with the PCI DSS. All merchants are required to complete the annual SAQ, attest to the information they’ve entered and print and save their Attestation of Compliance. This means that you are meeting the PCI DSS requirements.

Q: What is a Qualified Security Assessor (QSA)? A. Qualified Security Assessors are organizations that have been qualified to have their employees assess compliance to the PA-DSS standard. They have been certified to validate an entity’s adherence to the PA-DSS standard.

Q: What is an Approved Scanning Vendor? A. Approved Scanning Vendors (ASVs) are organizations that validate adherence to certain DSS requirements by performing vulnerability scans of Internet facing environments of merchants and service providers.

Q: Why do I need a scan?A. The Card Associations require all merchants with externally- facing IP addresses (e-Commerce merchants or merchants who utilize a payment gateway/shopping cart) to undergo a quarterly network scan by an Approved Scanning Vendor (“ASV”), and complete an attestation of compliance. The scan checks your website and IP addresses to ensure there are no vulnerabilities subject to outside attacks.

Frequently Asked Questions

Page 14

UNDERSTANDING PCI COMPLIANCEMERChANT PCI COMPLIANCE PROGRAM

Q: How do I validate my compliance?A:AfteryoucompleteyourSAQ,youwillbeaskedtoattesttotheinformationyouenteredandprintyourvalidationofcompliance.Thatisallyouneedtodo,becauseoursystemwillnotifyusthatyouhavecompletedtheSAQ.

Ifyouhavealreadybeencertifiedfor2015,youmustsubmityourcertificationofcompliancefroman approvedASV/QSAbynolaterthanApril 29, 2015, toavoidtheannualPCIbillingfeeforourprogram.Ifyouarenotcertifiedfor2015,youmustcompleteyourSAQprior to May 29, 2015,inordertoavoidamonthlyPCInon-compliancefeeuntilyoucompletetheSAQ.

You may submit your certification in one of the following ways:

Via fax: 718.559.4822(keepacopyofyoursuccessfulfaxtransmissionreceipt),orVia mail: ProcessingCenterCustomerService

P.O. Box 246Alpharetta, GA 30009-0246

Q: What am I getting for the PCI program annual fee?A:TheannualfeecoversthecostforustomanagetheprogramasrequiredbytheCardAssociations.

Throughourprogram,you’llbegivenaccesstoouronlineSAQ,andwe’llsubmitproofofyourcompliancedirectlytotheCardAssociations.WealsoprovideFREEquarterlyorannualnetworkvulnerabilityscansshouldyouberequiredbytheCardAssociationstoconductthem.

Frequently Asked Questions

Page 15