PCI Compliance

What is PCI Compliance?

PCI security standards are technical and operational requirements set by the Payment Card Industry Security Standards Council to protect cardholder data. Major card companies such as Visa, MasterCard, American Express, and Discover, are responsible for enforcing the security of cardholder information. 

Merchants are responsible for ensuring their equipment, networks, and employees meet the PCI security standard.


How do I become PCI Compliant?

Fattmerchant is a Level 1 PCI Service Provider. Level 1 is the high level of compliance available, and we adhere to industry-leading PCI standards. To become PCI compliant, the following steps need to be taken:

  1. Complete business profile
  2. Complete Annual PCI Questionnaire
  3. Set up Quarterly Scanning (if necessary)


Additional Resources for becoming PCI compliant:

Your guide to PCI Compliance

Frequently Asked Questions about PCI Compliance


How do I complete my business profile? 



Where do I take my PCI questionnaire? 


If you Merchant ID begins with 52000click here. If you have never logged in before, select first sign-in, enter your Merchant ID (MID) and set your password. Your Merchant ID can be found in the settings tab in Omni. The questionnaire will take approximately 10 minutes to complete.

You can call the PCI team at 833-534-8422 for assistance with getting started with the questionnaire. The PCI team is available M-F 8am-10pm EST. 



If your merchant ID starts with 5347 or 5544 - click here. If you have never logged in before, please use the Register now button on the home page. 

If you are unsure which merchant category you fall into, please reach out to your account manager and we will be able to assist!

Your PCI certificate will be valid for one year. After the certificate has expired, merchants must renew using the same process as above. 


How do I know which questionnaire I need to take to become compliant?

The Security Council has broken out each questionnaire by product and networks. Please complete the questionnaire which best fits your processing style.

SAQ A - Merchants whose cardholder data functions are completed outsourced to a validated third party. They do not store, process, or transmit any cardholder data in electronic format on their systems or premises.

SAQ B - Card imprinter or a physical machine processing over a phone line connection

SAQ C - Merchants who use point of sale system processing over an internet connection. You do not store any credit card information electronically. Requires a vulnerability scan of your network. 

SAQ D - Merchants who electronically store cardholder data, use a customer or proprietary payment application, or a payment application installed on a network. Requires a vulnerability scan of your network. 

SAQ EP - Merchants with an e-commerce website that do not store credit card information. Your payments are redirected to a third-party processor. Requires a vulnerability scan of your network. 

SAQ B-IP - Merchants who process using a stand alone terminal over an IP connection. You do not store any credit card information electronically. Requires a vulnerability scan of your network. 

SAQ C-VT - Merchants who process using a virtual terminal. You do not store any credit card information electronically. 

SAQ P2PE - Your company uses hardware payment terminals included in a validated and PCI-listed Point-to-Point Encryption solution. You do not store, process, or transmit data outside of the hardware payment terminal. 

Each questionnaire produces a PCI certificate that is valid for one year. Vulnerability scans will only be valid for three months. 


What is a vulnerability scan?

Vulnerability scans are required for merchants processing over an internet network. Whether it's with a credit card machine or a shopping cart, it is important to make sure your networks are as secure as possible.

Vulnerability scans test the security of your network by skimming through the ports which are open and closed on your internet router. Ports dictate the security level and strength of the network. Vulnerability scans also test a website's security by making sure all security certificates are up to date. 


What happens if I am not compliant? 

Merchants have 60 days from when their new merchant account is approved with Fattmerchant to become PCI Compliant. After 60 days, merchants are subject to a non-compliance fee from the major card companies for not complying with their security standards. 



If you have any questions or need further support with becoming PCI Compliant, please reach out to the Fattmerchant support team at 855-550-3288.