Frequently Asked Questions
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment. Essentially any business that has a Merchant ID (MID) must meet the requirements of PCI DSS.
The Payment Card Industry Data Security Standards Council (PCI SSC) was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process. The PCI DSS is administered and managed by the PCI SSC (www.pcisecuritystandards.org), an independent body that was created by the major payment card brands (Visa, MasterCard, Discover Network, American Express, and JCB).
A copy of the Payment Card Industry Data Security Standard is available here.
PCI DSS applies to all organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.
The Standard can be found on the PCI SSC's website by clicking here.
All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As ('DBA'). In cases where a merchant corporation has more than one DBA, Visa acquirers must consider the aggregate volume of transactions stored, processed or transmitted by the corporate entity to determine the validation level. If data is not aggregated, such that the corporate entity does not store, process or transmit cardholder data on behalf of multiple DBAs, acquirers will continue to consider the DBA's individual transaction volume to determine the validation level.
|1||Any merchant, regardless of acceptance channel, processing over 6 million Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.|
|2||Any merchant, regardless of acceptance channel, processing 1 million to 6 million Visa transactions per year.|
|3||Any merchant processing 20,000 to 1 million Visa e-commerce transactions per year.|
|4||Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants, regardless of acceptance channel, processing up to 1 million transactions per year.|
Note: Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.
What does a small-to-medium sized business (Level 4 merchant) have to do in order to satisfy the PCI DSS requirements?
To satisfy the requirements of PCI, a merchant must complete the following steps:
- Identify your validation type as defined by PCI DSS, as listed below. This is used to determine which Self Assessment Questionnaire (SAQ) is appropriate for your business.
|SAQ Validation Type||Description||SAQ|
|1||Card-not-present (e-commerce and mail/telephone order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.||A|
|2||Imprint-only merchants with no cardholder data storage.||B|
|3||Stand-alone dial-up terminal merchants, no cardholder data storage||B|
|4||Merchants with payment application systems connected to the Internet, no cardholder data storage||C|
|5||All other merchants (not included in descriptions for SAQs A-C above) and all service providers defined by a payment brand as eligible to complete an SAQ.||D|
- Complete the Self-Assessment Questionnaire according to the instructions in the Self-Assessment Questionnaire instructions and guidelines.
- Complete and obtain evidence of passing a vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV). Note, scanning does not apply to all merchants. It is required for SAQ Validation Type 4 and 5 – those merchants with external facing IP addresses. Basically if you electronically store cardholder information or if your processing systems have any Internet connectivity, a quarterly scan by an approved scanning vendor is required.
- Complete the relevant Attestation of Compliance in its entirety (located in the SAQ tool).
- Submit the SAQ, evidence of a passing scan (if applicable), and the Attestation of Compliance, along with any other requested documentation, to your acquirer.
Yes. All businesses that store, process or transmit payment cardholder data must be compliant with PCI DSS.
Yes. All businesses that store, process or transmit payment cardholder data must be compliant with PCI DSS.
Yes. Merely using a third-party company does not exclude a business from PCI DSS compliance. It may cut down on risk exposure and consequently reduce the effort to validate compliance. However, it does not mean a business can ignore the requirements of PCI DSS.
My business has multiple locations, is each location required to validate the requirements of PCI DSS?
If your business locations process under the same tax identification number, then typically you are only required to validate once annually for all locations. And, submit quarterly passing network scans by an PCI SSC Approved Scanning Vendor (ASV), if applicable.
In-scope cards include any debit, credit, and pre-paid cards branded with one of the five card association/brand logos that participate in the Payment Card Industry Security Standard Council – Visa, MasterCard, Discover Network, American Express, and JCB.
No. SSL certificates do not secure a web server from malicious attacks or intrusions. High assurance SSL certificates provide the first tier of customer security and reassurance such as the below, but there are other steps to achieve compliance with the PCI DSS requirements. See Question "What does a small-to-medium sized business (Level 4 merchant) have to do in order to satisfy the PCI DSS Requirements?"
- A secure connection between the customers' browser and the web server
- Validation that the website operators are a legitimate, legally accountable organization
Cardholder data is any personally identifiable data associated with a cardholder. This could be an account number, expiration date, name, address, social security number, etc. All personally identifiable information associated with the cardholder that is stored, processed, or transmitted is also considered cardholder data.
For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (Visa, MasterCard, Discover Network, American Express, JCB) as payment for goods and/or services. Note that a business that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other businesses or service providers. For example, an Internet Service Provider (ISP) is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers.
The term payment application has a very broad meaning in the PCI DSS. A payment application is anything that stores, processes, or transmits card data electronically. This means that anything from a Point of Sale System (e.g., VeriFone or Hypercom swipe terminals, Aloha systems, etc.) in a restaurant to a website e-commerce shopping card (e.g., osCommerce, Authorize.Net, VeriSign, etc.) are all classified as payment applications. Therefore any piece of software that has been designed to touch credit card data is considered a payment application.
Payment gateways connect a merchant to the bank or processor that is acting as the front-end connection to the card brands. They are called gateways because they take many inputs from a variety of different applications and route those inputs to the appropriate bank or processor. Gateways communicate with the bank or processor using dial-up connections, web-based connections or privately held leased lines.
The point of sale (POS) environment refers to a transaction that takes place at a merchant location (i.e., retail store, restaurant, hotel, gas station, convenience store, etc.). An Internet protocol (IP) – based POS is when transactions are stored, processed, or transmitted on IP-based systems or systems communicating via TCP/IP.
PA-DSS refers to Payment Application Data Security Standard maintained by the Payment Card Industry Security Standards Council (PCI SSC). PABP is Visa’s Payment Application Best Practices, which is now referred to as PA-DSS. Visa started the program and it is being transitioned to the PCI SSC.
To address the critical issue of payment application security, in 2005 Visa created the Payment Application Best Practices (PABP) requirements to ensure vendors provide products which support merchants' efforts to maintain PCI DSS compliance and eliminate the storage of sensitive cardholder data. See www.visa.com/pabp for more information.
The Payment Card Industry Security Standards Council (PCI SSC) will maintain the PA-DSS and administer a program to validate payment applications’ compliance against this standard. The PCI SSC now publishes and maintains a list of PA-DSS validated applications which can be found here.
Visa Mandate Phase Deadline
- New PCI DSS Level 4 merchants (including new locations of existing relationships) may not use vulnerable payment application versions – those that store prohibited cardholder data as of January 1, 2008.
- New PCI DSS Level 4 merchants using third-party payment software must be either PCI DSS compliant or use PA-DSS validated compliant payment applications as of October 1, 2008.
- All PCI DSS Level 4 merchants (new and existing) using third-party software must use validated applications as of July 1, 2010.
If you electronically store cardholder data post authorization or if your processing systems have any Internet connectivity, a quarterly scan by a PCI SSC Approved Scanning Vendor (ASV) is required.
A network security scan involves an automated tool that checks a merchant or service provider’s systems for vulnerabilities. The tool will conduct a non-intrusive scan to remotely review networks and web applications based on the external-facing Internet protocol (IP) addresses provided by the merchant or service provider. The scan will identify vulnerabilities in operating systems, services, and devices that could be used by hackers to target the company's private network. As provided by an Approved Scanning Vendor (ASV) the tool will not require the merchant or service provider to install any software on their systems, and no denial-of-service attacks will be performed. Note, typically only merchants with external facing IP addresses are required to have passing quarterly scans to validate the requirements of PCI DSS. This is usually merchants completing the Self Assessment Questionnaire (SAQ) C or D version.
Every 90 days/once per quarter you are required to submit a passing scan. Merchants and service providers should submit compliance documentation (successful scan reports) according to the timetable determined by their acquirer. Scans must be conducted by a PCI SSC Approved Scanning Vendor (ASV).
As per the requirements in the PCI DSS scanning procedures specifications, an IPS must be set to not block a scan. The service provides multiple scanners for external (perimeter) scanning, located at the Security Operations Center (SOC) that is hosting the PCI DSS compliance service. The scanner IP addresses range from 126.96.36.199 through 188.8.131.52. Depending on your network, it may be necessary to add the scanner IPs to your list of trusted IPs, so the service can send probes to the IP addresses in your account during scan processing.
Security scanning procedures are outlined as part of the PCI DSS. Supporting documents published by the PCI Security Standards Council can be found by clicking here.
The Payment Card Industry Data Security Standard (PCI DSS) is not, in itself, a law. The standard was created by the major card brands such as Visa, MasterCard, Discover Network, American Express, and JCB. At their acquirers/service providers discretion, merchants that do not comply with PCI DSS may be subject to fines, card replacement costs, costly forensic audits, brand damage, and the termination of your merchant account, should a breach event occur.
For a little upfront effort and cost to comply with PCI DSS, you greatly help reduce your risk from facing these extremely unpleasant and costly consequences.
Yes. Home users are arguably the most vulnerable simply because they are usually not well protected. Adopting a 'path of least resistance' model, intruders will often zero-in on home users – often exploiting their 'always on' broadband connections and typical home use programs such as chat, Internet games, and P2P file sharing applications.
If the event that you suspect a breach of cardholder data, follow Visa's "What to Do If Compromised Visa Fraud Control and Investigations Procedures" document which can be accessed by clicking here.
For more information on PCI DSS visit the following websites: