Becoming compliant with the PCI (Payment Card Industry) Data Security Standard (DSS) is mandatory for any organization that transmits, stores, or processes credit card information.
The goal of PCI compliance is to strengthen your organization’s internal security controls and safeguard sensitive cardholder data against evolving threats.
At Bluefin, we are committed to partnering with your organization to help you achieve and maintain PCI compliance through our PCI Compliance Assistance Program, powered by VikingCloud’s SecureTrust. However, it is ultimately the merchant’s responsibility to take the required steps to become and remain compliant at all times.
Below are answers to frequently asked questions to guide you through this critical process.
What is the PCI Standard?
The Payment Card Industry Data Security Standard (PCI DSS) was established in 2006 by major payment brands (Visa, Mastercard, American Express, Discover, and JCB) to create a comprehensive global framework for securing cardholder data.
Organizations that achieve PCI compliance certification meet these standards and must maintain their compliance status to continue processing card payments securely.
You can learn more at https://www.pcisecuritystandards.org/.
Who needs to be PCI compliant?
All merchants and service providers that store, process, or transmit cardholder information must be PCI compliant, regardless of the number of transactions processed annually – whether 2 transactions a year or 2 million.
PCI compliance is essential to:
- Safeguard cardholder data
- Protect your organization from liability
- Maintain the trust of your customers
Failure to comply may result in substantial fines, penalties, and irreparable brand damage.
Who is responsible for making sure I am compliant?
Both the Acquirer (Bluefin) and the Merchant share responsibility for PCI compliance.
While Bluefin provides access to resources, merchants must take active steps to complete certification and maintain compliance over time.
Through our partnership with SecureTrust, merchants receive:
- Access to the SecureTrust portal
- Guidance from Qualified Security Assessors (QSA) and Approved Scanning Vendors (ASV)
- Support for:
- Conducting an account analysis
- Completing the PCI DSS Self-Assessment Questionnaire (SAQ)
- Addressing any necessary remediation
- Certifying compliance
- Performing required quarterly vulnerability scans (if applicable)
Contact SecureTrust at 800-363-1621 (Option 1) with your Bluefin Merchant ID to get started.
How long does the compliance process take?
The timeline varies depending on business size and system complexity:
- Small merchants may complete the process in 15–30 minutes if no vulnerabilities are found.
- Larger or more complex environments may take longer, especially if remediation is needed.
- The SecureTrust Portal allows you to complete the process in stages, with progress saved automatically.
Merchants must complete at least the registration step and inventory their compliance tasks as soon as possible.
What kind of PCI compliance do I need to achieve?
Compliance requirements depend on annual transaction volume and processing methods:
- Level 1: Over 6 million transactions annually
- Level 2: 1 to 6 million transactions annually
- Level 3: 20,000 to 1 million transactions annually
- Level 4: Fewer than 20,000 transactions annually
Typical requirements include:
- Annual Self-Assessment Questionnaire (SAQ) – All merchants are required to complete this
- Annual Attestation of Compliance – All merchants are required to complete this
- Quarterly network vulnerability scans – Only for internet-facing systems/Merchants who engage in Ecommerce/accept payments online
Is PCI compliance a one-time requirement?
No – PCI compliance is an ongoing obligation.
Merchants must:
- Complete and submit an updated SAQ every year – A reminder will be sent to the email address listed in the SecureTrust Portal 30 Days before the SAQ expires with the subject title “Your PCI Compliance is expiring soon. Renew today!”
- Pass quarterly vulnerability scans (if required) – 2 reminder emails will be sent to the email address listed in the SecureTrust Portal
- 30 Days before the Scan expires with the subject title “Your security scans are about to expire”
- 10 Days before the Scan expires with the subject title “Your security scans will expire shortly”
- Monitor and address any system changes impacting security
- Stay informed about PCI DSS updates and implement changes as needed
SecureTrust provides reminders, scanning, and guidance to support your ongoing efforts, but merchants are responsible for maintaining active compliance throughout the year. If you add or remove a card payment option (Retail/Ecommerce) you are required to redo the profile, SAQ and if relevant undertake a new scan.
How will the credit card companies / acquirers know that I am PCI compliant?
Bluefin reports your PCI compliance status electronically to Visa, MasterCard, Discover, AMEX, and other acquirers each month, using:
- Submitted SAQs
- Passed vulnerability scan reports
- Internal communication with merchants
Non-compliance fines from card brands can range from $5,000 to $100,000 per month.
My gateway/terminal is already PCI certified. Do I need to be PCI compliant?
Yes. While having a PCI-compliant terminal or gateway is essential, it does not satisfy all PCI DSS requirements.
Merchants themselves – including their policies, systems, and security practices – must also be certified.
I never see credit card information. Do I need to be PCI compliant?
Yes. Even if you do not directly handle cardholder data, vulnerabilities in your systems or networks could still expose sensitive information.
PCI DSS is designed to protect customers and merchants alike by reducing all possible points of risk.
What is the cost for maintaining PCI compliance through Bluefin?
Costs for the PCI Compliance Assistance Program are assessed monthly and/or annually.
For specific cost information, please contact Bluefin’s customer service team at 800-675-6573, ext. 4.
