Overview: This Implementations resource answers the most common questions about PCI Compliance.
What is PCI DSS?
The Payment Card Industry (PCI) Data Security Standard (DSS) is a set of requirements for enhancing payment account data security. These standards were developed by the PCI Security Council (founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.) to facilitate industry-wide adoption of consistent data security measures on a global basis. The standard aims to increase awareness and promote best practices in the handling of sensitive information to minimizing identity theft and fraudulent transactions.
Merchants can fall into different categories depending on the volume of transactions:
Level 1: Merchants that process over 6 million card transactions annually.
Level 2: Merchants that process 1 to 6 million transactions annually.
Level 3: Merchants that process 20,000 to 1 million transactions annually.
Level 4: Merchants that process fewer than 20,000 transactions annually.
I only process a few hundred dollars a month. Does my merchant account still need to be PCI compliant?
Yes. All merchants, small or large, are required to be PCI compliant. The payment brands have collectively mandated PCI DSS compliance for any and all organizations that process, store, or transmit payment cardholder data. Inherent in having a merchant account is the ability to handle cardholder data.
Why am I being asked to complete this questionnaire?
All merchants accepting payment by credit or debit cards are required to comply with PCI DSS. This website provides the tools needed to achieve compliance with the least amount of time, effort, and expense.
What happens if I do not complete this questionnaire?
Merchants are contractually required to comply with the PCI DSS as part of their processing agreement to accept card payments with the Card Networks. Failure to meet the contractual obligations may result in the payment provider assessing fees, suspending the ability to process transactions, and/or termination of the agreement.
What is an EMV card?
EMV (Europay, MasterCard, and Visa) cards or “chip” cards have chips embedded in the card that are utilized much like the magnetic stripe in traditional cards. If a terminal is certified to read the chip and uses this functionality, the merchant is considered to be EMV compliant.
Am I allowed to select the PCI Compliance Team who does my compliance?
Unless your payment provider has other regulations in place, you can select any vendor to become PCI compliant.
I do not use the internet to process credit cards, do I still have to be PCI Compliant?
Yes. All merchant that store, process, or transmit cardholder data are required to comply with the PCI DSS, regardless of the medium in which they operate (hard copy or electronic) or method in which they communicate the data (IP, analog, cellular, or satellite).
Do I need to make all my accounts compliant?
Yes. Any division of a business that stores, processes, or transmits cardholder data must comply with the PCI DSS. However, if an entity has multiple merchant accounts that have the same network configuration, operate according to the same information security policies and procedures, and utilize the same equipment, they may be able to assess all locations under one SAQ.
How do I renew my questionnaire?
The questionnaire can be renewed either by clicking on the Re-Assess button, if available, or by completing a new SAQ. SAQs are valid for one year from the date they are submitted.
What are the penalties for being non-compliant?
All merchants are required to be PCI DSS compliant. Refusal to comply may result in fines or the loss of the ability to accept debit and credit cards.
What is an ASV scan?
An ASV scan is a non-intrusive external scan against the public address of a merchant's card processing network. The scan checks for open TCP & UDP ports at the network gateway and tests for vulnerabilities and common misconfigurations which could put card data at risk. Additional information about the ASV scan can be found in the ASV Program Guide which is available from the PCI SSC website: https://www.pcisecuritystandards.org/documents/ASV_Program_Guide_v3.0.pdf.
What are the steps to compliance?
PCI security for merchants and payment card processors is the vital result of applying the information security best practices in the PCI DSS. The standard includes 12 requirements for any business that stores, processes, or transmits payment cardholder data. These requirements specify the framework for a secure payment environment. For PCI compliance purposes, there are three steps: Assess, Remediate, and Report.
To Assess is to take an inventory of your IT assets and business processes for payment card processing and analyze them for vulnerabilities that could expose cardholder data. Remediation is the process of fixing those vulnerabilities. Reporting entails compiling records required by PCI DSS to validate remediation and submitting compliance reports to the acquiring bank and global payment brands you do business with. Carrying out these three steps is an ongoing process for continuous compliance with the PCI DSS requirements. These steps also enable vigilant assurance of payment card data safety.
Step 1 – Assess
The primary goal of the assessment is to identify all technology and process vulnerabilities that pose risks to the security of cardholder data being transmitted, processed, or stored by your business. The Payment Card Industry Data Security Standard (PCI DSS) contains detailed requirements describing IT infrastructure and processes that access the payment account infrastructure. Determine how cardholder data flows from beginning to end of the transaction process – including PCs and laptops that access critical systems and storage mechanisms for paper receipts, etc. Check the versions of Personal Identification Number (PIN) entry terminals and software applications used for payment card transactions and processing to ensure they have passed PCI compliance validation.
Note: As your liability for PCI compliance extends to third parties involved with your process flow, you must also confirm that they are compliant. Comprehensive assessment is a vital part of understanding what elements may be vulnerable to security exploits and where to direct remediation.
Self-Assessment Questionnaire (SAQ) – The SAQ is a validation tool for merchants and service providers who are not required to do on-site assessments for PCI DSS compliance. Eight SAQs are specified for various situations.
Qualified Assessors – The Council provides programs for two types of independent experts to assist with your PCI assessment: Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV). QSAs have trained personnel and processes to assess and prove compliance with the PCI DSS. ASVs perform vulnerability scans for your systems.
Step 2 - Remediate
Remediation is the process of fixing vulnerabilities. This includes both technical flaws in software code and unsafe practices in how an organization processes or stores cardholder data.
Review and remediate vulnerabilities found in on-site assessment (if applicable) or through the Self-Assessment Questionnaire process.
Scan your network with software tools that analyze infrastructure and spot known vulnerabilities.
Classify and rank the vulnerabilities to help prioritize the order of remediation, from most serious to least serious.
Apply patches, fixes, workarounds, and changes to unsafe processes and workflow.
Re-scan to verify that remediation occurred.
Step 3 – Report
Regular reports are required for PCI compliance. These are submitted to the acquiring bank and global payment brands that you do business with. The Payment Card Industry Security Standards Council (PCI SSC) is not responsible for PCI compliance. All merchants and processors that are required to scan must submit a quarterly scan report completed by a PCI SSC Approved Scanning Vendor (ASV). Businesses with large flows must do an annual on-site assessment completed by a PCI SSC approved QSA and submit the findings to each acquirer. Most merchants are required to submit an annual Review and Sign within the Self-Assessment Questionnaire. You will be notified by your payment processor if an onsite assessment is required.
For more details, contact your acquirer or visit www.pcisecuritystandards.org.