PCI Compliance

The ValuPlus Merchant Association PCI Compliance program offers the best of all worlds.

You now have access to one of the best Payment Card Industry (PCI) Compliance Programs in the market today. Working with ValuPlus allows you to secure your customer’s credit card data with the security standards set by Visa, MasterCard and Discover.


  • Easy to use
  • Lowest cost PCI program anywhere
  • 24/7/365 assistance. Just call 303-753-0833, ext. 100
  • Includes scans (where required)
  • No hidden non-compliance fees
  • $50K dollars of breach insurance is included with WorldPay PCI merchant program

For detailed information on all aspects of PCI Compliance, click on the tabs below:

The PCI DSS, a set of comprehensive requirements for enhancing payment account data security, was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. International, to help facilitate the broad adoption of consistent data security measures on a global basis.

The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.

The PCI Security Standards Council will enhance the PCI DSS as needed to ensure that the standard includes any new or modified requirements necessary to mitigate emerging payment security risks, while continuing to foster wide-scale adoption.

Ongoing development of the standard will incorporate feedback from the Advisory Board and other participating organizations. All key stakeholders are encouraged to provide input during the creation and review of proposed additions, or modifications, to the PCI DSS.

The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized:

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored cardholder data

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software

Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know

Requirement 8: Assign a unique ID to each person with computer access

Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data

Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security

To further the adoption of the PCI DSS, the PCI Security Standards Council defines credentials and qualifications for QSAs and ASVs. The PCI Security Standards Council also manages a global training and certification program for QSAs and ASVs, and will publish a directory of certified providers on this Web site.

PCI DSS Supporting Documents

Glossary

This document defines terms used in DSS and the other resources available to approved scanning vendors and qualified security assessors.
English - Glossary: pdf    Spanish - Glossary: pdf    Chinese - Glossary: pdf

PCI DSS Summary of Changes

The Payment Card Industry Data Security Standard (DSS) v 1.2 has replaced the DSS v. 1.1 on October 1, 2008. This Summary of Changes document provides an overview of the significant differences between the two versions.
English - Summary of Changes: pdf

PCI DSS 1.2 FAQs

In the frequently asked questions document you will find information about the changes from version 1.1 to 1.2.
English - PCI DSS 1.2 FAQs: pdf

Navigating PCI DSS Document

This document describes the 12 Payment Card Industry Data Security Standard (PCI DSS) requirements, along with guidance to explain the intent of each requirement. This document is intended to assist merchants, service providers, and financial institutions who may want a clearer understanding of the Payment Card Industry Data Security Standard, and the specific meaning and intention behind the detailed requirements to secure system components (servers, network, applications etc) that support cardholder data environments.
English - Navigating PCI DSS Document: pdf    Spanish - Navigating PCI DSS Document: pdf

Attestations of Compliance/Validation

The Attestation is your certification that you are eligible to perform and have performed the appropriate Self-Assessment.
AOC - Merchants v1.2: doc    AOC - Service Providers v1.2: xls

Prioritized Approach for PCI DSS 1.2

The Prioritized Approach offers guidance on how to focus PCI DSS 1.2 implementation efforts in a way that expedites the security of cardholder data. It also helps businesses identify highest risk targets, creates a common language around PCI DSS implementation efforts, and enables merchants to demonstrate progress on compliance process to key stakeholders – banks, acquirers, QSAs, others.
Prioritized Approach for PCI DSS 1.2: pdf    Prioritized Approach tool: xls

DSS Validation Requirements for Qualified Security Assessors (QSAs)

To be recognized as a QSA by PCI SSC, QSAs must meet or exceed the requirements described in this document and execute the QSA Agreement with PCI SSC attached to this document as Appendix A (the "Agreement").
English - DSS Validation Requirements for Qualified Security Assessors: doc

Supplement for Principal-Associate Qualified Security Assessors

The Payment Card Industry Data Security Standard (DSS) v 1.2 has replaced the DSS v. 1.1 on October 1, 2008. This Summary of Changes document provides an overview of the significant differences between the two versions.
English - Supplement for Principal-Associate Qualified Security Assessors: doc

PCI DSS Validation Requirements for Approved Scanning Vendors (ASVs)

To be recognized as an ASV by PCI SSC, the ASV, ASV employees, and the ASVs scanning solution must meet or exceed the requirements described in this document and execute the "PCI ASV Compliance Test Agreement" attached as Appendix A (the "Agreement") with PCI SSC. The companies that qualify are identified on PCI SSC’s ASV list on PCI SSC’s web site in accordance with the Agreement.
English - PCI DSS Validation Requirements for Approved Scanning Vendors: doc

Information Supplements

Requirement 11.3 Penetration Testing - Information Supplement: pdf
Requirement 6.6 Application Reviews and Web Application Firewalls Clarified - Information Supplement: pdf

Additional Documents - ASV

PCI ASV Compliance Test Agreement - Coming Soon
ASV Feedback Form - Brands and Others - English: doc
ASV Feedback Form - Client - English: doc

Additional Documents - QSA

PCI Qualified Security Assessor (QSA) Agreement - Coming Soon
QSA Feedback Form - Brands and Others - English: doc
QSA Feedback Form - Client - English: doc

Overview of the PCI SSC Skimming Prevention: Best Practices for Merchants

Skimming is the unauthorized capture and transfer of payment data to another source. Its purpose is to commit fraud, the threat is serious, and it can hit any merchant’s environment. PCI Security Standards currently contain a number of requirements and recommendations to guard against skimming. This “At-a-Glance” provides a snapshot of skimming and introduces areas requiring countermeasures to ensure an appropriate level of security for cardholder data.

Overview of the PCI DSS Wireless Guideline

The goal of this document is to help organizations understand how PCI DSS applies to wireless environments, how to limit the PCI DSS scope as it pertains to wireless, and provide practical methods and concepts for deployment of secure wireless in payment card transaction environments.

PCI Data Storage Do’s and Don’ts

Requirement 3 of the Payment Card Industry’s Data Security Standard (PCI DSS) is to “protect stored cardholder data.” For merchants who have a legitimate business reason to store cardholder data, it is important to understand what data elements PCI DSS allows them to store and what measures they must take to protect those data.

Lifecycle Process for Changes to PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) secures cardholder data that is stored, processed or transmitted by merchants and other organizations. Changes to the standard follow a defined 24-month lifecycle with five stages, described in this document.

Payment Card Industry Security Standards Overview

PCI security standards are technical and operational requirements set by the Payment Card Industry Security Standards Council to protect cardholder payment data.

Getting Started with PCI Data Security Standard

PCI security for merchants and payment card processors is the vital byproduct of applying information security best practices in the Payment Card Industry Data Security Standard (PCI DSS).

Ten Common Myths of PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) secures cardholder payment data that is stored, processed or transmitted by merchants and processors.

PCI Data Security Standard Self-Assessment:

The PCI Data Security Standard and supporting documents represent a common set of industry tools and measurements to help ensure the safe handling of sensitive information.

The standard provides an actionable framework for developing a robust account data security process—including preventing, detecting and reacting to security incidents. To reduce the risk of compromise and mitigate its impacts if it does occur, it is important that all entities storing, processing, or transmitting cardholder data be compliant.

The chart below outlines the tools in place to help organizations with PCI DSS compliance and self-assessment.