PCI Compliance FAQs
- What are some of the most commonly-used terms and acronyms I need to know when it comes to PCI compliance?
- What is PCI DSS compliance?
- What are the PCI compliance levels and how are they determined?
- What are the penalties for noncompliance?
- Must organizations that use a service provider be compliant?
- Do debit card transactions fall under the scope of PCI compliance?
- How is “merchant” defined?
- How is “cardholder data” defined?
- Do I need vulnerability scanning to validate compliance?
- What is a network security scan?
- How often must a security scan be performed?
- I run a home-based business. Am I really at serious risk of being hacked?
- What if a merchant refuses to cooperate with PCI compliance?
- How do I login to begin my Self-Assessment Questionnaire?
- I have already begun the process of PCI compliance. Do I need to let you know?
What are some of the most commonly-used terms and acronyms I need to know when it comes to PCI compliance?
Like most industries, PCI compliance has its own “alphabet soup” of terms and acronyms including:
- Payment Card Industry (PCI) – Denotes debit, credit, prepaid, e-purse, ATM and POS (point of sale) cards and associated businesses.
- Payment Card Industry Data Security Standard (PCI DSS) – A set of comprehensive requirements for enhancing payment account data security that was developed by the founding payment brands of the PCI Security Standards Council to help facilitate the broad adoption of consistent data security measures on a global basis.
- Payment Card Industry Security Standards Council – An open global forum whose mission is to enhance the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection through education and awareness of PCI Security Standards. The organization was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc.
- PCI Self-Assessment Questionnaire (SAQ) – A validation tool intended to assist merchants and service providers who are not required to undergo an on-site data security assessment to self-evaluate their compliance with the PCI DSS. There are multiple versions of the PCI DSS SAQ to meet various scenarios.
- PCI scan – A quarterly test of system components, processes and custom software to ensure security controls.
- PCI SSC Approved Scanning Vendor (ASV) – Organizations that validate adherence to certain DSS requirements by performing vulnerability scans of the Internet-facing environments of merchants and service providers.
- Qualified Security Assessor (QSA) – Companies approved by the PCI SSC to conduct an audit.
What is PCI DSS compliance?
The Payment Card Industry Data Security Standard (PCI DSS) encompasses a set of requirements established to ensure that all merchants who process, store or transmit credit card information maintain a secure transaction environment. Importantly, PCI DSS compliance protects both the merchants and their customers. The PCI DSS is administered by the independent Payment Card Industry Security Standards Council, or PCI SSC, which was created by the five major payment card brands — Visa, MasterCard, American Express, Discover and JCB International. The cards covered include any debit, credit or pre-paid cards branded with the association or brand logos of those five participants.
What are the PCI compliance levels and how are they determined?
There are four PCI compliance levels and their compliance requirements vary. Merchants are assigned to a level based on their combined transaction volume — including credit, debit and prepaid cards — over a 12-month period. The four levels (from fewest to most transactions) and their requirements are:
- Level 4: Small businesses that process less than 20,000 eCommerce transactions and less than 1 million other transactions annually. Level 4 businesses must complete an annual risk assessment using the appropriate PCI Self-Assessment Questionnaire (SAQ). Quarterly PCI scans, administered by an approved scanning vendor, may also be required.
- Level 3: Mid-sized companies — those with between 20,000 and 1 million transactions annually — fall into this level. Level 3 companies are required to complete an annual risk assessment using the appropriate SAQ. Quarterly PCI scans, administered by an approved scanning vendor, may also be required.
- Level 2: Level 2 companies conduct between 1 million and 6 million transactions yearly. These companies are required to undergo a risk assessment every year, using the appropriate SAQ. Quarterly PCI scans, administered by an approved scanning vendor, may also be required.
- Level 1: “Big box” stores and major corporations are Level 1 companies, which are defined as having a minimum of 6 million transactions per year. In addition to an annual internal audit conducted by a qualified PCI auditor, Level 1 companies may also be required to undergo quarterly PCI scans administered by an approved scanning vendor.
What are the penalties for noncompliance?
Your merchant account agreement should outline your specific exposure if you are noncompliant, so check it to make sure you understand your position. Generally speaking, penalties for noncompliance are numerous and both direct and indirect. First, Issuing banks and credit card processors can be fined up to $500,000 for regulatory compliance violations; typically, these fines are passed along to individual merchants in the form of increased transaction fees. In addition to fines, noncompliant businesses that suffer a breach in security face card replacement costs, expensive forensic audits and damage to their reputation. Additionally, a noncompliant merchant may lose his or her merchant account and languish in the Terminated Merchant File for several years, during which time they cannot accept credit cards. This final blow usually causes massive, often insurmountable, damage to the merchant’s credibility, customer loyalty and business.
Must organizations that use a service provider be compliant?
Absolutely! As defined by Payment Card Industry (PCI) guidelines, a service provider is a third party that stores, processes or transmits cardholder data on behalf of another entity. While using a service provider may reduce a merchant’s risk of exposure and the effort needed to validate compliance, it does not exclude that merchant from PCI compliance. Compliance equates with security, and therefore should always be a top priority for any business.
Do debit card transactions fall under the scope of PCI compliance?
Yes, debit cards — along with credit and prepaid cards — that are branded with a logo of one of the five partners in PCI SSC are in scope for PCI compliance. The five partners are Visa, MasterCard, Discover, American Express and JCB International.
How is “merchant” defined?
Simply put — and for the purposes of PCI DSS — a merchant is an entity that accepts payment cards (credit, debit or prepaid) with the logo of any of the five members of PCI SSC as payment for goods and/or services. Under the terms of PCI compliance, a merchant is charged with securely storing, processing and transmitting cardholder data.
How is “cardholder data” defined?
Cardholder data is the personally identifiable data associated with a cardholder — his or her name and address, account number and expiration date, card verification value (CVV) code, personal identification number (PIN) and Social Security number. This information is embedded in the magnetic stripe on the backs of credit and debit cards or appears on the card itself. If it is made vulnerable by a noncompliant merchant, fraud may occur. The current mandates of the Payment Card Industry Data Security Standards state that merchant software should never store any of this information permanently.
Do I need vulnerability scanning to validate my compliance?
Businesses that electronically store cardholder data post authorization or have processing systems connected to the Internet may be required to have a PCI SSC Approved Scanning Vendor (ASV) perform a quarterly scan.
What is a network security scan?
A network security scan is performed by an Approved Scanning Vendor (ASV) using an automated tool to remotely and non-intrusively check a merchant or service provider’s networks and web applications for vulnerabilities in operating systems, services and devices that hackers could use to target the company. Merchants with external-facing Internet protocol (IP) addresses may be required to pass quarterly scans to validate their PCI compliance.
How often should a security scan be performed?
A security scan should be performed quarterly (every 90 days) by a PCI SSC Approved Scanning Vendor (ASV). Service providers and merchants should submit their successful scan reports according to the timetable established by their acquirer.
I run a home-based business. Am I really at serious risk of being hacked?
Unfortunately, yes. In fact, hackers will often target home users precisely because they don’t take protection seriously. Open broadband connections, Internet games, chat and file sharing applications all make the average home user more vulnerable to attack from the outside. Regular security scans of desktop and laptop computers can identify and fix loopholes, stopping fraudsters in their tracks.
What if a merchant refuses to cooperate with PCI compliance?
There is no law requiring PCI DSS compliance. It is a standard created by the major card brands that comprise the Payment Card Industry Security Standards Council (PCI SSC). However, merchants who not comply with PCI DSS and suffer a breach event may be subject to fines, card replacement costs, costly forensic audits and damage to their brand and reputation. PCI compliance doesn’t cost a lot or require a lot of effort from a merchant, and the benefits are priceless — security and peace of mind.
How do I login to begin my Self-Assessment Questionnaire?
When you arrive at the login screen, you will be prompted to enter your username and password. Use your current merchant number as your username; you will find it in the top right-hand corner of your monthly statement. Your password is the last 5 digits of the merchant ID and capitalized state abbreviation. For example, if the merchant ID is 0123456 and your business is located in Illinois. Your username would be 0123456 with a password of 23456IL.
I have already begun the process of PCI compliance. Do I need to let you know?
If you have completed or are in the process of determining your business’s PCI compliance, you will need to let us know. Please contact your merchant services representative and ask him/her to fax or e-mail you a Merchant PCI Verification Questionnaire. Fill out this form and fax it back to us at 303.482.0347. Once your PCI compliance status is confirmed, you will receive notification of any necessary credits to your account.