Your most common questions about the payment card industry data security standard, answered.
Note: This post was updated September 26, 2017.
By: George Mateaki
CISSP, CISA, QSA, P-QSA
What is PCI compliance?The Payment Card Industry Data Security Standard (PCI DSS) was established in 2006 by the major card brands (i.e., Visa, MasterCard, American Express, Discover Financial Services, JCB International).
All businesses that process, store, or transmit payment card data are required to implement the standard to prevent cardholder data theft. Your card-handling practices and processing environment determine which PCI DSS requirements apply to your business.
What is PCI validation?The Payment Card Industry Security Standards Council mandates that all merchants comply with the PCI standard. Annual validation (or proof) is mandated by some merchant processors and is a way of documenting your compliance. Validation requirements vary based upon annual payment card transactions and may require a self-assessment or independent onsite audit.
Who is required to become PCI compliant?All businesses that process, store, or transmit payment card information are required to comply with the PCI DSS.
Why haven't I heard of PCI compliance until now?PCI compliance was first mandated in 2006. The Payment Card Industry Security Standards Council, the card brands, and your merchant processor are doing their best to make sure all merchants are aware of the standards.
Is PCI compliance required by law?The government does not regulate PCI*; however, when you signed your payment card contract—and confirmed your desire to accept credit and debit cards at your business—you agreed to follow card brand rules. If you wish to safely accept Visa, MasterCard, JCB, American Express, and Discover, you must comply with PCI DSS.
*Note: Some states, including Nevada, Minnesota and Washington, have incorporated PCI DSS compliance into their state laws.
When is the deadline to become PCI compliant?For most merchants, the deadline for compliance has already passed. Contact your merchant processor to receive details on your merchant account. The sooner you become compliant, the less likely you are to be hacked.
What happens if I don't become PCI compliant?If you are not PCI compliant, you are more vulnerable to data compromise, and may also be fined by your merchant processor and/or the card brands for not validating PCI compliance.
I only process a few cards a year. Do I still need to be PCI compliant?Yes. Even if you only process one transaction per year, you must implement the PCI DSS in your processing environment.
SEE ALSO: 10 PCI Security Standard Myths
What is required to become PCI compliant?Typical steps for merchants to become PCI DSS compliant include, but are not limited to:
- Determine your PCI DSS validation type (this informs your requirements)
- Address all requirements found in your Self-Assessment Questionnaire (SAQ) (e.g., external vulnerability scans, penetration tests, employee training, etc.)
- Attest to your compliance annually
- Complete and report quarterly results of all scans performed by an Approved Scanning Vendor (ASV)
What is the most current version of the PCI DSS?The PCI SCC recently released PCI DSS version 3.2. It replaces 3.1 “to address growing threats to customer payment information.” The new compliance requirements introduced in version 3.2 will be considered best practices until January 31, 2018. Starting on February 1, 2018, they are effective requirements.
Which SAQ am I supposed to complete?Ultimately, you must choose the SAQ that’s right for your processing environment, but generally speaking:
- SAQ A is for e-commerce/mail/telephone-order (card-not-present) merchants that have fully outsourced all cardholder data functions. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
- SAQ A-EP is for e-commerce-only merchants that use a third-party service provider to handle their card information, and who have a website that doesn’t handle card data, but could impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
- SAQ B is for merchants that use imprint machines and/or standalone, dial-out terminals, and have no electronic cardholder data storage. Not for e-commerce.
- SAQ B-IP Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, and that have no electronic cardholder data storage. Not for e-commerce.
- SAQ C-VT is for merchants that use a virtual terminal on one computer dedicated solely to card processing. No electronic cardholder data storage. Not for e-commerce.
- SAQ C is for any merchant with a payment application connected to the Internet, but with no electronic cardholder data storage.
- SAQ P2PE is for merchants using approved point-to-point encryption (P2PE) devices, with no electronic card data storage.
- SAQ D for Merchants is for merchants that DO store credit card data electronically.
- SAQ D for Service Providers is for service providers deemed eligible to complete an SAQ.
Read more about PCI DSS 3.2 SAQ updates.
What is a PCI compliance certificate?Some QSA/ASV companies provide certificates confirming that an organization is PCI DSS compliant. An actual compliance certificate is not mandatory, and you don’t necessarily need a certificate to be PCI compliant.
Am I PCI compliant if my site has an SSL/TLS certificate?Unfortunately, no. An SSL/TLS certificate is an important element in a secure website, but alone does not meet PCI DSS requirements.
Do I need to be PCI compliant if I don't use a computer to process credit cards?Yes. PCI compliance doesn't require a connection to the Internet or even a computer system. PCI compliance is determined by the way that you store, handle, or process credit card information, whether the card information is in a locked filing cabinet or on the computer.
SEE ALSO: How Much Does PCI Compliance Cost?
What should I do if I think my business has been compromised?Disconnect your system from the Internet, call your merchant processor, and call a forensic investigator. PCI forensic investigators help you find and fix the security holes in your processing environment. They help you identify how and when attackers breached your systems, determine if card data was compromised, and document for the card brands your efforts to remediate the vulnerabilities that lead to the data breach.
SEE ALSO: The 6 Phases in an Incidence Response Plan
What is SecurityMetrics' role in PCI compliance?SecurityMetrics helps businesses get PCI compliant. We help merchants validate compliance and implement the Payment Card Industry Data Security Standard. SecurityMetrics is an Approved Scanning Vendor and is certified to perform PCI scans, onsite PCI audits, payment application software audits, point-of-sale terminal security audits, penetration tests, and forensic analysis (to assess card data compromises.)
SecurityMetrics QSAs & experts hold certifications like:
- Certified Information Systems Security Professional (CISSP)
- Certified Information Systems Auditor (CISA)
- PCI Forensic Investigator (PFI)
- Approved Scanning Vendor (ASV)
- Qualified Security Assessor (QSA)
- Payment Application Qualified Security Assessor (PA-QSA)
- Point-to-Point Encryption Qualified Security Assessor (P2PE QSA)
- HealthCare Information Security and Privacy Practitioner (HCISPP)
My SecurityMetrics account has just been created, what now?You should log in to your account and begin the process of becoming PCI compliant. Start by going through each section of the SAQ.
If you have more questions about PCI Compliance or anything related to data security, contact one of our experts.
George Mateaki (CISSP, CISA, QSA, PA-QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.