Payment Card Industry Data Security Standard (PCI DSS) FAQs
PCI DSS standards are not so easy to figure out alone. These are some of the most frequently asked questions about Card Data Security Standards that may clear up a thing or two.
What is PCI DSS?
Payment Card Industry (PCI) Data Security Standards (DSS) is a regulatory document created to maintain high payment card data security levels. It standardizes, assesses, and prescribes any business’s requirements (merchant or service provider) that process, transmits, and stores credit card data.
It was created in 2006 by a Security Standards Council (SSC), an organization that joins the five biggest credit card issuers (Visa Int, Master Card, American Express, JCB Int, and Discover Financial Services). The current version is 3.2, effective as of February 2018. Version 4.0, a major update, is slated to go into effect in mid-2021.
Does the Law Enforce PCI?
PCI DSS is not a state or federal regulation but a public regulation supported by major card issuers. Several states (Minnesota, Nevada, and Washington) have some legislation that introduces state and governmental support, and more states will probably approve it in the future.
That does not mean businesses should neglect PCI Standards because other legislative and administrative mechanisms can lead to very unpleasant penalties and measures should there be a data breach, compromise, or theft due to not following the PCI Standards.
What does PCI Validation Mean?
PCI SSC demands all businesses that process, transmit, and store card data to comply and validate the PCI Standards.
The validation is done in several steps, some of which are done by the business, merchant, service provider and others (depending on the SAQ) in regular periods and by a registered and SSC-approved validation provider.
What’s the Deadline for PCI Compliance?
PCI 3.2. version got effective as of February 2018, and this was the deadline for 3.2. standards compliance. The chance to get hacked is significantly greater without PCI compliance, so contacting the merchant processor is an excellent idea to get compliant as soon as possible.
What Happens if I Am Not PCI Compliant?
Lacking PCI compliance puts you at a greater risk of card data compromise that may lead to fines by brands of credit cards and merchant processors. There may be instances where you can be fined even if there hadn’t been a data compromise.
How to be PCI Compliant?
Some of the steps merchants need to take (along with the additional steps required for specific merchants) are:
- Determine the type of your PCI standards validation (determines the requirements)
- Manage all the requirements determined by your SAQ (Self-Assessment Questionnaire), for example, vulnerability and penetration scans, training for employees, etc.)
- Annually attest your business’ compliance
- Conduct quarterly scans by an ASC (Approved Scanning Vendor), and file the reports
Which SAQ is My Business?
The choice for an SAQ depends on the business. In general:
- SAQ A: The card does not present merchants fully outsourcing all functions related to cardholder data. The merchant system does not conduct any processing, transmission, or storage of cardholder data.
- SAQ A-EP: Merchants that outsource card information to a third-party provider, with a website that doesn’t process cardholder data but may compromise the transaction. The merchant system does not conduct any processing, transmission, or storage of cardholder data.
- SAQ B: Merchants utilize imprint machines with or without standalone payment dial-out terminals but don’t possess electronic storage for cardholder data. This one isn’t for e-commerce.
- SAQ B-IP: Only standalone payments that are PTS-approved, terminals with an IP connection with a payment processor, without electronic storage for card data. This one isn’t for e-commerce.
- SAQ C-VT: Merchants utilize a virtual terminal over a computer that is completely dedicated to processing cards. These merchants don’t store data electronically. This one isn’t for e-commerce.
- SAQ C: Any merchant utilizes an application that connects to the Internet without electronic storage for cardholder data.
- SAQ P2PE: Merchants that use approved P2PE (Point to Point Encryption) devices. No electronic storage of cardholder data.
- SAQ D for Merchants: This one is for merchants that DO have electronic storage of cardholder data.
- SAQ D for Service Providers: Any service provider that is eligible to finish an SAQ.
Are PCI Compliance Certificates and SSL or TLS Certificates the Same?
Even though an SSL or, even better, TLS certificates are vital for a good transaction and processing security, a PCI compliance certificate is not equal. In other words, SSL/TLS certification alone does not meet PCI requirements.
What’s the Definition of Cardholder Data?
Cardholder data is narrowly defined as a full PAN (Primary Account Number) and more widely defined as a full PAN along with the following elements:
- The name of the cardholder
- Card Expiration Date
- Service Code
SAD (Sensitive Authentication Data) also has to be protected. These include magstripe data, CVC2, CAV2, CID, CVV2, PINs, PIN blocks, etc.
What are Vulnerability Scans?
A scan for vulnerability is a process that uses an automated tool that checks the systems for vulnerabilities or the weak points that can be abused by hackers and compromise cardholder data. It is a non-intrusive scan that reviews networks and web apps remotely, based on an external IP that a merchant provides. An ASV does a vulnerability scan.
Are there Penalties for Non-Compliance?
Yes, and the penalties can be quite damaging to businesses, especially small businesses. The brands can find a bank anywhere from $5.000 to $10.000 for PCI violations monthly. The banks can then pass fines until they reach the merchant. Termination of an account by the bank or raising transaction fees are also likely.
What are the Compliance Levels?
Level 1: Merchants that process more than six million Visa transactions every year, no matter the acceptance channel. Exceptions are merchants that Visa promoted to level 1 at their discretion.
Level 2: Merchants that process one million to six million Visa transactions a year.
Level 3: Merchants that process 20.000 to 1M Visa transactions annually.
Level 4: Merchants that process one to 20.000 Visa transactions annually and all other merchants that process up to one million Visa transactions every year, no matter the acceptance channel.