PCI DSS Compliance

 

Questions and Answers about PCI DSS

PCI DSS compliance is a requirement imposed by all of the card brands on all merchant business that accept credit and debit card payments, in order to protect cardholder data.

The SecureTrust PCI Manager portal will help you validate PCI DSS compliance. Just log in and follow the steps shown. You will need to fill out the online SAQ (Self-Assessment Questionnaire), and you may need to perform a network vulnerability scan on a quarterly basis.

It’s the Payment Card Industry Data Security Standard, and includes requirements for keeping cardholder data secure.

The PCI Security Standards Council, or PCI SSC, is an organization founded by the card brands—including Visa, MasterCard, Discover Card, American Express, and JCB—to manage the cardholder data security standards. Prior to the founding of the PCI Security Standards Council in 2006, each card brand maintained its own data security standards, including the Visa CISP (Cardholder Information Security Program) and MasterCard SDP (Site Data Protection) standards.

Most importantly, your business will be at a greater risk for a data breach, which could be very disruptive and expensive, and could cause your customers to lose confidence in your business. Secondarily, even if you don’t experience a data breach, if you don’t validate compliance then non-compliance penalties may be imposed upon your business, including fines and possible account termination.

If an actual or suspected data breach occurs, your business may incur significant expenses including forensic investigation fees, fines, and card replacement costs to reimburse card-issuing banks.

For a medium-sized merchant, total costs to recover from a data security breach in which cardholder data is exposed could be in the approximate range of $10,000 to $50,000 or more. For larger merchants the costs could of course be much higher, possibly millions of dollars if a large number of card numbers is exposed in the breach.

The SecureTrust PCI Manager portal provides the following:
  • Online Tutorials and Training about PCI DSS
  • PCI Wizard and To-Do List
  • Vulnerability Scanning Tool
  • Security Policy Advisor
  • Certificate of Compliance
  • Trusted Commerce Seal for e-Commerce Businesses
  • Various Other Online Tools and Benefits
All of these products and tools should make it much easier to understand and comply with the PCI DSS requirements. However, ultimately it is your responsibility to understand the requirements, and to ensure that your business follows the requirements and validates compliance.

As a service provider, because we use aggregated reporting and compliance-tracking tools in order to produce the merchant compliance program monitoring reports that are required by the card brands, we strongly prefer for you to use the SecureTrust portal. However, if there is a special reason you would like to use a different PCI portal, please call our merchant support department to discuss your circumstances.

PCI DSS compliance must be validated annually. Compliance must be maintained continuously throughout the year by following your company’s established security policy. And when applicable, network vulnerability scans must be performed throughout the year at least quarterly.

The SAQ, or Self-Assessment Questionnaire, is a form that you fill out to assess the compliance by your business with the PCI DSS requirements. The SecureTrust portal will help you choose the correct version of the SAQ and then will help you fill it out. Since there are multiple versions of the SAQ, and since some are shorter and easier than others, it is important to select the right one for your business. SecureTrust will help you with that.

The SAQ must be completed annually to validate your compliance.

There are eight different versions of the SAQ for PCI DSS v3.0, ranging in length from 14 questions on the simplest (SAQ A) to over 300 questions on the most extensive (SAQ D). The SecureTrust portal will help you select the correct SAQ.

A network vulnerability scan is an automated, computerized probe of your network to search for possible security weaknesses, including devices that may not have all of the needed patches installed or that may not be configured in a secure manner to keep out intruders. After the completion of the scan, a report is automatically generated for you to show the findings of the scan, including a list of serious vulnerabilities that must be resolved (if any).

If applicable for your business, a network vulnerability scan must be performed at least four times per year, on a quarterly basis. Not all businesses require a network vulnerability scan, but if your network has externally-facing IP addresses, you will need a scan. The SecureTrust portal will help you determine whether you need a scan, and if you do it will provide a tool to perform the scan for you. The scan may be scheduled to occur automatically on a quarterly basis or more frequently if you desire.

If applicable for your business, a passing network vulnerability scan is required at least four times per year on a quarterly basis. If a scan “fails” (i.e., if one or more serious vulnerabilities are found by the scan) then you must resolve the problem and perform the scan again, and continue doing so until you get a passing scan for that quarter.

Visa and MasterCard have defined four tiers representing four categories of merchant compliance validation, based primarily on the number of transactions processed annually and whether e-commerce transactions are processed. Most small or medium-sized merchants are at Level 4. Only extremely large merchants are at Level 1. The SecureTrust portal will help you determine your merchant compliance level and associated validation requirements.

There are 12 main requirements and many sub-requirements in the PCI DSS v3.0 standard. The SecureTrust portal will provide training to help you understand the requirements.

All of the payment terminals, payment applications, and payment devices that you install at the physical premises of your business must be compliant with and validated against the PA-DSS requirements, and must be shown on the Validated Payment Applications list. All of the third-party payment service providers used by your business (including payment gateways, payment processors, and hosted e-commerce solutions, or any external systems that store or transmit cardholder data), must be PCI DSS compliant. Furthermore, they must be registered with Visa and shown on the Visa Global Registry of Service Providers list and must be registered with MasterCard and shown on the MasterCard PCI Compliant Service Providers List. Finally, both the Visa list and the MasterCard list must show a current PCI DSS validation for the service provider.

The Validated Payment Applications list is available at the following location:
https://www.pcisecuritystandards.org/approved_companies_providers/vpa_agreement.php

The Visa Global Registry of Service Providers list is available at the following location:
http://www.visa.com/splisting/

The MasterCard PCI Compliant Service Providers List is available at the following location:
http://www.mastercard.com/us/company/en/whatwedo/compliant_providers.html

The PA-DSS is the Payment Application Data Security Standard. Software and hardware vendors who provide physical payment terminals or software to be installed at a merchant business location most first validate their hardware and software against the PA-DSS standard, and have it listed on the Validated Payment Applications list.

Yes. All businesses that accept credit card payments must be PCI DSS compliant. If all of your payments processing functions are outsourced to PCI DSS compliant service providers, it may simplify your compliance efforts. For example, you will likely be eligible for a much shorter and easier version of the SAQ form.

No, they are all different.

PCI DSS compliance means that your business actually meets the requirements and actually follows the practices required by PCI DSS.

PCI DSS validation means that you have provided acceptable evidence that your business is compliant with PCI DSS requirements.

Data security means that your systems and network are actually secure from attackers.

Theoretically, you could be PCI DSS compliant but not bother to validate your compliance—but this would be a bad idea, and your business may be subject to penalties. On the other hand, if you falsely validate PCI DSS compliance for your business by answering the SAQ questions incorrectly while not actually meeting the requirements, you put your business at increased risk of a data breach, and there could be penalties imposed on your business.

Yes. Even if you validate PCI DSS compliance for your business and your business does indeed maintain compliance with the PCI DSS requirements, it is still possible to experience a data breach—even the best security systems and practices are not impenetrable—although it is far less likely that your business will be breached if PCI DSS compliant, since hackers would be likely to move past your business and on to easier targets. So although PCI DSS compliance does not completely eliminate the possibility of data breach, it greatly reduces the probability.

Think of it this way: if you have homeowner’s insurance, should you still lock your doors when you are away? The answer is yes, of course. Even though data breach insurance may mitigate your financial losses, it cannot replace or repair the damage to your business brand, and the sense of betrayal your customers may feel, if cardholder data is exposed. Furthermore, you are required to validate PCI DSS compliance for your business, regardless whether you have data breach insurance.

For questions about fees and billing, please contact our Merchant Support Team.

If you have questions not answered here or need any other help with your PCI DSS compliance, please contact our Merchant Support Team.


Select Bankcard Merchant Support Team
855.943.5763
support@selectbankcard.com