Payment Card Industry - Data Security Standard FAQ

What is the Payment Card Industry (PCI) Data Security Standard (DSS)?

The PCI Data Security Standard represents a set of industry tools and measurements to help ensure the safe handling of sensitive cardholder data and information. Initially created by aligning Visa's Account Information Security (AIS)/Cardholder Information Security (CISP) programs with MasterCard's Site Data Protection (SDP) program, the standard provides an framework for developing a robust account data security process; including preventing, detecting and reacting to security incidents.

What is the definition of a "merchant"?

For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos from American Express, Discover, JCB, MasterCard or Visa as payment for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers.

I’m a small merchant who has limited payment card transaction volume. Do I need to be compliant with PCI DSS? If so, what is the deadline?

All merchants, whether small or large, need to be PCI compliant. Compliance is a requirement for organizations that process, store or transmit payment cardholder data. For more information regarding the PCI security standards and supporting documentation, please visit the PCI Security Standards Council website at: www.pcisecuritystandards.org.

What are the deadlines for complying with PCI DSS?

Compliance is mandated by the payment card brands. For most merchants, the deadlines for validating compliance with the PCI DSS have already passed. You should check with your acquirer or merchant bank to check if any specific deadlines apply to you, based on merchant transaction volume (level) as determined by the card payment brands. All entities that transmit, process or store payment card data must be compliant with PCI DSS.

What is a Qualified Security Assessor?

Qualified Security Assessor (QSA) companies are organizations that have been qualified by the Council. Qualified Security Assessors are employees of these organizations who have been certified by the Council to validate an entity’s adherence to the PCI DSS.

What is an Approved Scanning Vendor?

Approved scanning vendors are authorized to perform the quarterly scans to show compliance with the PCI Data Security Standard All PCI scans must be conducted by a third party compliant network security scanning vendor, selected from the list of approved vendors at https://www.pcisecuritystandards.org/. All compliant scanning vendors are required to conduct scans in accordance with a defined set of procedures. These procedures dictate that the normal operation of the customer environment is not to be impacted and that the vendor should never penetrate or alter the customer environment.

How often do I need to scan?

Depending on your validation category, network security scans may be required every 90 days by an approved PCI scanning vendor.

Who needs to get external auditors for certification?

External auditors are required for annual audits of level 1 & 2 merchants and level 1 & 2 service providers

What is the scope of a PCI DSS assessment for a network that is not segmented?

Without proper network segmentation to isolate the systems that store, process or transmit cardholder data from those that do not, all system components in that network are considered part of the cardholder data environment, the entire network is in scope for PCI DSS, and all PCI DSS requirements apply.

You only have to be compliant with the majority of criteria.

PCI is requires 100% compliance, so if you fail even one of the criteria, you are not in compliance with PCI. The standard is not meant to be something to strive for. Failing to achieve even one of the requirements, is failing to meet a basic standard for handling cardholder information. All companies that routinely handle this type of data should meet or exceed the standard. It’s just good business.

Is the Self-Assessment Questionnaire all I need to do to validate compliance with the Payment Card Industry Data Security Standard (PCI DSS)?

In accordance with payment brands’ compliance programs, those merchants and service providers who are permitted by the payment brands to self-evaluate their compliance with the PCI DSS may need to complete the following steps:

  1. Complete the Self-Assessment Questionnaire according to the instructions in the Self- Assessment Questionnaire Instructions and Guidelines.
  2. Complete a clean vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV), and obtain evidence of a passing scan from the ASV.
  3. Complete the relevant Attestation of Compliance in its entirety.
  4. Submit the SAQ, evidence of a passing scan, and the Attestation of Compliance, along with any other requested documentation, to your acquirer.

Who needs to complete the Self Assessment Questionnaire?

Your acquiring bank can confirm, but typically all level 2, 3, and 4 merchants and service providers can complete a PCI Self-Assessment Questionnaire on an annual basis.

I can just answer “yes” to all the criteria on the Self-Assessment Questionnaire.

The Self-Assessment Questionnaire is a mechanism for getting the information about the level of your compliance to your merchant bank. The standard applies at all times. Just saying yes to the questions puts you at great risk. If a compromise occurs and you are not compliant, the matter would be taken very seriously and the potential of huge fines and further inability to process credit cards. You would be risking your whole business by answering “yes” to the questions, when there is no factual basis for the answers.

What are the consequences to my business if I do not comply with the PCI DSS?

There are many aspects to penalties that can be incurred as the result of non-compliance. First, there are financial penalties. Vendor violations can range from $10K - 100K/month. In addition, possible restrictions up to permanent prohibition of the merchant’s participation in credit card programs could be applied to a non-compliance merchant who has a security breach. This all leads to a public lack of consumer trust due to confidential data disclosures, harming the reputation and brand of the merchant that may become irreparable.

Does PCI DSS apply to merchants who use payment gateways to process transactions on their behalf, and thus never store, process or transmit cardholder data?

PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply. However, under PCI DSS requirement 12.8, if the merchant shares cardholder data with a third party processor or service provider, the merchant must ensure that there is a contractual obligation for that third party processor/service provider to adhere to the PCI DSS and that the third party processor/service provider is responsible for the security of the cardholder data it possesses. In lieu of a direct agreement, the merchant must obtain evidence of the third-party processor/service provider's compliance with PCI DSS via other means, such as via a letter of attestation.

I can wait until my bank asks me to be compliant.

No, the dates for merchants to be PCI compliant are long gone. You are responsible for making sure you are in compliance.

PCI Enabled Plans

Related Info

Customer Quotes

Minooka Community High School, IL, USA

"As a tech director I demand only a few things: Easy implementation without sacrificing features,and stability. Kerio delivers this and more. Run, don’t walk, to the world of Kerio."


Les Kern III, Directory of Technology