PCI Compliance FAQ
- Jul 16, 2018
- By Fusion Security Team
Your most common questions about the Payment Card Industry Data Security Standard, answered.
What is PCI compliance?
The Payment Card Industry Data Security Standard (PCI DSS), established in 2006 by the major credit card brands (i.e., Visa, MasterCard), is a set of security standards designed to ensure that all companies that accept, process, store and/or transmit credit card information maintain a secure environment.
What is PCI validation?
The PCI Security Standards council mandates that all merchants comply with the PCI standards. Annual validation (or proof) is mandated by some merchant processors and is a way of documenting your compliance. Validation requirements vary based upon annual payment card transactions and may require a self-assessment or independent onsite audit.
Who is required to become PCI compliant?
All businesses that process, store, or transmit payment card information are required to comply with the PCI DSS.
Is PCI compliance required by law?
Compliance with PCI DSS is not required by federal law in the United States. However, the laws of some U.S. states, including Nevada, Minnesota, and Washington, have incorporated PCI DSS into their state laws, while other states have made equivalent provisions. When you sign your payment card contract—and confirm your desire to accept credit and debit cards at your business—you agree to follow card brand rules. To safely accept Visa, MasterCard, JCB, American Express, and Discover transactions, you must comply with PCI DSS.
When is the deadline to become PCI compliant?
For most merchants, the deadline for compliance has already passed. Contact your merchant processor to receive details on your merchant account. The sooner you become compliant, the sooner you will optimize security measures that protect your customers against the misuse of their personal information.
What happens if I don’t become PCI compliant?
If you are not PCI compliant, you are more vulnerable to a data compromise, and may also be fined by your merchant processor and/or the card brands for not validating PCI compliance.
I only process a few cards a year. Do I still need to be PCI compliant?
Yes. Even if you only process one transaction per year, you must implement the PCI DSS in your processing environment.
What is required to become PCI compliant?
Typical steps for merchants to become PCI DSS compliant include, but are not limited to:
- Determine your PCI DSS validation type (this informs your requirements)
- Address all requirements found in your Self-Assessment Questionnaire (SAQ) (e.g., external vulnerability scans, penetrations tests, employee training, etc.)
- Attest to your compliance annually
- Complete and report quarterly results of all scans performed by an Approved Scanning Vendor (ASV)
What is the most current version of the PCI DSS?
The PCI SCC recently released PCI DSS version 3.2. It replaces 3.1 “to address growing threats to customer payment information.” The new compliance requirements introduced in version 3.2 became effective on February 1, 2018.
Which Self-Assessment Questionnaire (SAQ) am I supposed to complete?
Ultimately, you must choose the SAQ on the PCI Security Standards website that’s right for your processing environment, but generally speaking:
- SAQ A is for e-commerce/mail/telephone-order (card-not-present) merchants that have fully outsourced all cardholder data functions. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
- SAQ A-EP is for e-commerce-only merchants that use a third-party service provider to handle their card information, and who have a website that doesn’t handle card data, but could impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
- SAQ B is for merchants that use imprint machines and/or standalone, dial-out terminals, and have no electronic cardholder data storage. Not for e-commerce.
- SAQ B-IP Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, and that have no electronic cardholder data storage. Not for e-commerce.
- SAQ C-VT is for merchants that use a virtual terminal on one computer dedicated solely to card processing. No electronic cardholder data storage. Not for e-commerce.
- SAQ C is for any merchant with a payment application connected to the Internet, but with no electronic cardholder data storage.
- SAQ P2PE is for merchants using approved point-to-point encryption (P2PE) devices, with no electronic card data storage.
- SAQ D for Merchants is for merchants that DO store credit card data electronically.
- SAQ D for Service Providers is for service providers deemed eligible to complete an SAQ.
Read more about PCI DSS 3.2 SAQ updates on the PCI Security Standards website.
What is a PCI compliance certificate?
Some QSA/ASV companies provide certificates confirming that an organization is PCI DSS compliant. An actual compliance certificate is not mandatory, and you don’t necessarily need a certificate to be PCI compliant.
Am I PCI compliant if my site has an SSL/TLS certificate?
Unfortunately, no. An SSL/TLS certificate is an important element in a secure website, but alone does not meet PCI DSS requirements.
Do I need to be PCI compliant if I don’t use a computer to process credit cards?
Yes. PCI compliance doesn’t require a connection to the Internet or even a computer system. PCI compliance is determined by the way that you store, handle, or process credit card information, whether the card information is in a locked filing cabinet or on the computer.
Who enforces PCI compliance?
Generally speaking, your merchant bank enforces PCI DSS compliance.
What should I do if I think my business has been compromised?
Disconnect your system from the Internet, call your merchant processor, and contact us for information about forensic investigation. PCI forensic investigators help you find and fix the security holes in your processing environment. An investigator can help identify how and when attackers breached your systems, determine if card data was compromised, and document for the card brands your efforts to remediate the vulnerabilities that lead to the data breach.
Source: Security Metrics, PCI Security Standards website