Questions
1. What is PCI compliance?
2. Are the merchants required to certify for PCI compliance?
3. How can a merchant become PCI compliant?
4. If a merchant has multiple locations, is each location required to certify PCI compliance, and will there be an additional cost for each location?
5. What is Attestation of Compliance (AOC)?
6. What is an Approved Scanning Vendor (ASV)?
7. What is a Report on Compliance (ROC)?
8. What is a Self-Assessment Questionnaire (SAQ)?
9. What is Aperia?
10. What should a merchant expect after enrolling in Aperia?
11. How does a merchant know which SAQ type applies?
12. Does outsourcing payment processing remove the merchant's PCI obligation?
13. How long is the PCI compliance certification valid?
14. What should e-commerce merchants know about PCI DSS v4.0 and requirements 6.4.3 and 11.6.1?
15. What happens if the merchant does not comply with PCI DSS requirements?
16. Can a merchant use their partner PCI certificate or another processor's certificate instead of completing its own PCI validation?
17. Can merchants ask for poof of CSG Forte's own PCI compliance?
1. What is PCI compliance? |
|
|
PCI compliance refers to compliance with the Payment Card Industry Data Security Standard (PCI DSS), the global security standard established to protect cardholder data that is mandatory for organizations that store, process, or transmit payment card information. PCI compliance includes a range of security requirements and best practices that help organizations manage how payment card data is collected, handled, transmitted, and safeguarded.
2. Are the merchants required to certify for PCI compliance? |
Yes, merchants that store, process, or transmit cardholder data are required to validate PCI compliance. PCI DSS applies to merchants that accept payment cards, and compliance must be demonstrated accordingly based on the merchant’s business model and cardholder-data environment.
3. How can a merchant become PCI compliant? |
|
|
A merchant can validate PCI compliance through one of three recognized paths:
1. Complete a Self-Assessment Questionnaire (SAQ) using the forms and guidance available from the PCI Security Standards Council library (not applicable for level 1 merchants)
2. Use an approved third-party Qualified Security Assessor (QSA) and submit the applicable proof to CSG Forte, such as the Attestation of Compliance (AOC) or any other required scan documentation. Note: This path is often more appropriate for merchants with more complex environments or higher transaction volume. Third-party vendors may charge separate fees for their services, and those fees are independent from any CSG Forte program fees.
Merchants enrolled through one of the options mentioned above should submit the applicable documentation to CSG Forte through one of the approved intake channels:
- Email: pci@forte.net or customerservice@forte.net
- Support portal: Select Compliance/PCI as the issue/request type. Note: Recommended only when attachments do not exceed 20MB.
3. Enroll in CSG Forte’s PCI compliance program via Aperia, an authorized QSA and Approved Scanning Vendor (ASV). This option includes portal-based support for completing the compliance process, and PCI-related documentation is hosted in the Aperia portal after enrollment. The program costs US$7.99 for basic compliance for non-e-commerce merchants or US$14.99 for basic compliance plus script monitoring services for e-commerce merchants. To enroll in this program, merchants must fill out the Aperia PCI Enrollment form.
4. If a merchant has multiple locations, is each location required to certify PCI compliance, and will there be an additional cost for each location? |
|
|
If multiple merchants’ locations process under the same tax ID, the business generally only needs to complete PCI certification once for all linked locations. If the locations operate under different tax IDs, PCI validation is generally required once per Tax ID.
Regarding cost, there is generally not a separate PCI cost for each location when the locations process under the same tax ID and are linked correctly during enrollment. To avoid unnecessary certifications and to help ensure the correct pricing structure is applied, the merchant should confirm during enrollment with CSG Forte and, when applicable, the selected compliance provider that all eligible locations are linked together under the same tax ID.
5. What is Attestation of Compliance (AOC)? |
|
|
It is the official PCI SSC form used by merchants and service providers to attest to the results of a PCI DSS assessment, whether those results were documented through a Self-Assessment Questionnaire (SAQ) or a Report on Compliance (ROC).
6. What is an Approved Scanning Vendor (ASV)? |
|
|
This is a company approved by the PCI Security Standards Council to conduct external vulnerability scanning services. Merchants may work with an ASV when their PCI validation path requires external scans as part of ongoing compliance activities. List of Approved Scanning Vendors can be consulted here.
7. What is a Report on Compliance (ROC)? |
|
|
It is the reporting tool used to document the detailed results of an entity’s PCI DSS assessment. In practice, merchants usually encounter a ROC when their validation path requires a more formal or comprehensive assessment.
8. What is a Self-Assessment Questionnaire (SAQ)? |
|
|
It is the PCI questionnaire a merchant completes to attest that it meets the PCI DSS requirements applicable to its payment environment. Different SAQ types apply depending on how the merchant accepts and handles cardholder data.
9. What is Aperia? |
|
|
Aperia is CSG Forte’s PCI compliance program partner and portal used to support merchant PCI validation. It provides guided PCI workflows, portal-based questionnaire completion, compliance notifications, reporting, and related support, and it is used by CSG Forte as a recognized QSA/ASV path for enrolled merchants.
10. What should a merchant expect after enrolling in Aperia? |
|
|
After the Aperia Enrollment Form is completed and processed, the merchant should expect to receive a welcome email with portal access instructions. If the message is not received, the merchant should first check spam or junk folders. If the welcome email still cannot be located, or if login assistance is needed, the merchant should contact the Aperia Merchant Helpdesk at 844-865-7493.
Once logged in and based on the merchant’s business model and cardholder data environment, the merchant is guided through the applicable SAQ and required validation steps in the Aperia portal. To complete the process, the merchant must review and complete the requested information carefully and electronically sign the corresponding documents so the compliance records can be generated in the portal.
Note: A merchant is not considered compliant simply because the enrollment form was submitted. Compliance is achieved only after the applicable PCI documentation is finalized in the Aperia portal.
11. How does a merchant know which SAQ type applies? |
|
|
The applicable SAQ is selected based on how the business accepts payments, whether cardholder data is stored, processed, or transmitted on merchant systems, and whether third-party providers handle part or all the payment flow. To help determine the appropriate option, the merchant should review the PCI Security Standards Council Document Library and SAQ guidance resources, which provide the official questionnaires and related instructions.
For reference, the available SAQ types include:
- SAQ A: For card-not-present merchants, such as e-commerce or mail/telephone-order businesses, that fully outsource all cardholder data functions to PCI DSS-compliant third-party service providers and do not electronically store, process, or transmit cardholder data on their own systems.
- SAQ A-EP: For e-commerce merchants that outsource payment processing to PCI DSS-validated third parties, but whose websites can still affect the security of the payment transaction.
- SAQ B: For merchants using only imprint machines or standalone dial-out terminals, with no electronic cardholder data storage.
- SAQ B-IP: For merchants using only standalone, Pin Transaction Security (PTS) approved payment terminals connected by IP, with no electronic cardholder data storage.
- SAQ C-VT: For merchants that manually enter one transaction at a time into an internet-based virtual terminal provided and hosted by a PCI DSS-validated third party, with no electronic cardholder data storage.
- SAQ C: For merchants with payment application systems connected to the internet that do not electronically store cardholder data.
- SAQ P2PE: For merchants using only hardware payment terminals included in and managed through a validated PCI SSC-listed point-to-point encryption solution, with no electronic cardholder data storage.
- SAQ D: For merchants that do not fit into the lower-scope SAQ categories above, or whose environment is more complex and therefore requires the most comprehensive assessment.
CSG Forte’s PCI compliance program through Aperia helps simplify the process by automatically guiding merchants through a series of questions to determine and assign the most appropriate SAQ for their business.
12. Does outsourcing payment processing remove the merchant's PCI obligation? |
|
|
No, outsourcing payment processing may reduce PCI scope, but it does not remove the merchant’s responsibility to validate its own compliance. If the merchant’s environment qualifies, outsourcing may support eligibility for a lower-scope SAQ such as SAQ A, but it is not a substitute for the merchant’s own validation.
13. How long is the PCI compliance certification valid? |
|
|
PCI certification validity depends on the merchant’s validation requirements and the way cardholder data is stored, processed, or transmitted.
- If the merchant is only required to complete the annual questionnaire, PCI certification is generally valid for one year from the certification date.
- If the merchant is required to complete quarterly vulnerability scans, compliance must be maintained every three months as each new scan becomes due.
- If the merchant changes how cardholder data is stored, processed, or transmitted, the merchant may need to recertify the affected controls because the change can alter PCI scope and increase risk.
Note: To help avoid PCI non-compliance fees, merchants should submit renewal or recertification documentation on time. In general, merchants can prevent the monthly non-compliance charge by validating PCI DSS compliance on or before the 20th business day of the month in which certification or renewal is due.
14. What should e-commerce merchants know about PCI DSS v4.0 and requirements 6.4.3 and 11.6.1? |
|
|
PCI DSS v4.0 is the current version of the PCI Data Security Standard. It includes updates intended to address evolving security risks, especially web-based attacks that target ecommerce payment pages. Effective March 31, 2025, certain e-commerce merchants must address PCI DSS requirements 6.4.3 and 11.6.1 related to payment-page script monitoring and change detection. Depending on the merchant’s setup, this may require weekly monitoring, proof of script integrity controls, and support from an ASV or another PCI vendor.
E-commerce merchants with SAQ A questionnaire | E-commerce merchants with SAQ AE & D questionnaire |
Vulnerability scans: Merchants are required to complete network scans to identify and address security vulnerabilities by installing applicable security patches and updates. | Script Management: Merchants with hosted payment pages will be required to monitor all payment page scripts that are loaded and executed in the consumer’s browser by confirming script authorization, assure script integrity, and maintain a script inventory (Req 6.4.3) |
Script Management and Script Detection: Merchants who previously qualified for SAQ A may need to reassess their eligibility by moving to SAQ AE if they are unable to confirm and provide proof their entire webpage isn't susceptible to attacks (Req 6.4..3 and 11.6.1) | Script Detection: Merchants with hosted payment pages must implement a detection mechanism (at least weekly) to alert for unauthorized modifications or changes on payment pages as received by the consumer browser (Req 11.6.1) |
15. What happens if the merchant does not comply with PCI DSS requirements? |
|
|
If a merchant does not validate PCI compliance, CSG Forte will apply a monthly non-compliance fee of US$29.99 and may continue for each month if the account remains unvalidated or is otherwise deemed non-compliant. Beyond the monthly fee, non-compliance can expose the merchant to significant financial and operational risk. In the event of a compromise, card brands may impose fines of up to US$500,000 per payment brand, and those fines do not include the additional costs associated with fraudulent transactions, breach response, remediation, or related business disruption.
16. Can a merchant use their partner PCI certificate or another processor's certificate instead of completing its own PCI validation? |
|
|
No, each merchant must validate its own PCI compliance. PCI guidance specifically notes that a partner’s or platform provider’s PCI certificate cannot be accepted in place of the merchant’s own assessment, even when payment processing is outsourced.
17. Can merchants ask for poof of CSG Forte's own PCI compliance? |
|
|
Yes, merchants or authorized requesters may request proof of CSG Forte’s PCI compliance including SOC 1 and 2 reports, through the CSG Trust Center. These documents are considered confidential and provided only for authorized use. Note: Requesters may need register first on MyCSG Support to access the CSG Trust Center.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article