- Q: What is PCI Compliance?
A: American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa, Inc. worked together in 2005 to establish the Payment Card Industry Data Security Standard (PCI DSS). The primary goal is to protect cardholder information. There is a lot of information when it comes to PCI DSS Compliance.
PCI DSS has defined six goals and 12 corresponding requirements that all businesses of any size are required to adhere to when accepting payment cards.
A copy of the PCI DSS is available at: https://www.pcisecuritystandards.org/security_standards/pci_dss_download_agreement.html
- Q: What is defined as ‘cardholder data’?
A: According to the PCI Security Standards Council, cardholder data is:
- The full primary account number (PAN)
- Cardholder name
- Expiration Date
- Service Code
Cardholder data may also include the cardholder’s address and social security number. All personally identifiable information associated with the cardholder that is stored, processed, or transmitted is also considered cardholder data.
- Q: What is the definition of ‘merchant’?
A: For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers.
Source: PCI SSC
- Q: Do I have to be PCI Compliant?
A: If you are storing, processing or transmitting cardholder data, the answer is yes! PCI DSS applies to any business that stores, processes or transmits cardholder information. All merchants are expected to meet the 12 requirements set by the PCI Data Security Standards (PCI DSS).
- Q: Where can I find the PCI Data Security Standards (PCI DSS)?
A: The Standard can be found on the PCI SSC's Website: https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
- Q: Do I have to validate compliance to the PCI DSS?
A: Yes, you should complete the PCI DSS Self-Assessment Questionnaire (SAQ) to identify any data vulnerabilities. If you have external-facing IP addresses, you must run a network Scan as well.
- Q: How can I take the PCI DSS SAQ?
A: If Electronic Data Payment Systems is your credit card processing provider, you should have received an e-mail or fax with instructions on how to take the PCI DSS SAQ. Included in the letter will be your unique ID and password to take the questionnaire. If you need this information sent to you again, please contact us via e-mail at firstname.lastname@example.org or by phone at 866.209.7350.
- Q: How often does the SAQ have to be completed to be PCI compliant?
A: In order to be compliant, the PCI DSS SAQ is required to be taken annually. Your processor should contact you when you need to complete your questionnaire. If you are working with Electronic Data Payment Systems, we will contact you via e-mail or fax.
- Q: If I have more than one PC, do I have to complete multiple Self-Assessment Questionnaires (SAQ)?
A: No, you only have to complete one questionnaire for your business as a whole.
- Q: Once I become PCI Compliant, do I have to do anything to remain compliant?
A: The answer is simple, yes. All merchants are required to take the SAQ annually to ensure that your business is still PCI Compliant. With this continuous assessment– if your business has any significant changes in your network or business processes, this may warrant another review of the SAQ and/or network scan to identify any vulnerabilities. Examples of changes would be a new software installation, upgrade to the software version, etc. If there are any changes in your business that may require this, please contact us at email@example.com.
- Q: Am I PCI Compliant if my point-of-sale system is compliant?
A: No, PCI Compliance goes beyond point-of-sale system used for payment card processing. Although it is important that you business is using a validated payment application and/or approved PCI PIN Entry Device (PED), you still need to be PCI Compliant. The Payment Card Industry Data Security Standard (PCI DSS) requires that any business that stores, processes or transmits cardholder data needs to comply with the 6 goals and 12 requirements of PCI DSS Compliance.
- Q: What are the PCI compliance 'levels' and how are they determined?
A: According to payment brand rules, all merchants and their service providers are required to comply with the PCI Data Security Standard in its entirety. There are five SAQ Validation categories, shown briefly in the table below and described in more detail in the following paragraphs. Use the table to gauge which SAQ applies to your organization, then review the detailed descriptions to ensure you meet all the requirements for that SAQ.
SAQ Validation Type Description SAQ: V1.2 1 Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants. A 2 Imprint-only merchants with no electronic cardholder data storage B 3 Stand-alone terminal merchants, no electronic cardholder data storage B 4 Merchants with POS systems connected to the Internet, no electronic cardholder data storage C 5 All other merchants (not included in Types 1-4 above) and all service providers defined by a payment brand as eligible to complete an SAQ. D
- Q: How often does the network vulnerability scan have to be performed to be considered PCI Compliant?
A: To be compliant, the network vulnerability scan is required to be performed and passed quarterly.
- Q: What does a small to medium sized business, level 4 merchant, has to do to become PCI Compliant and meet all the requirements?
A: All merchants, small and large, are required to be PCI Compliant. At Electronic Data Payment Systems, we make this part simple for you. We have already done the work and have classified you into the right merchant level. If you currently processing with us, you will receive an e-mail, fax, phone call or a letter that will give you the directions on which SAQ you need to take.
When you sign in to complete your questionnaire, follow the instructions and guidelines established on the page. If you have any questions about your SAQ or have lost your copy, please contact us at firstname.lastname@example.org.
- Q: What should I do if I’m compromised?
A: If you are compromised, we recommend following the procedures outlined in Visa’s ” What to Do If Compromised Visa Fraud Control and Investigations Procedures” document.
- Q: Where can I find more information about PCI Compliance?
A: The PCI Data Security Standards Council has more information on PCI Compliance on their website at: https://www.pcisecuritystandards.org.