PCI Compliance FAQ

What does PCI stand for?

The term PCI refers to The Payment Card Industry Data Security Standard – also known as PCI DSS. This is a set of standards to make sure any company that accepts, processes, stores, or transmits credit card information is secure.

The PCI DSS is set and managed by the Payment Card Industry Security Standards Council (the PCI SSC) founded on September 7th 2006. This is an independent body set up by many of the large credit card brands including Visa, MasterCard, JCB, Discover, and American Express.

Security standards in the Payment Card Industry (PCI) are always improving to keep payment account security at its highest all throughout the transaction process. The PCI council is not held responsible for making sure members of a transaction follow security standards, this is always down to the acquirer or payment brand.

Who does the PCI Data Security Standard (PCI DSS) apply to?

All organizations who accept, process, store, or transmit any credit card information should follow the PCI DSS. The number of transactions or size of the organization is irrelevant.

Can anyone see the PCI DSS?

Yes, you can find the PCI Data Security Standard on the PCI Security Standards Council website here.

What levels of PCI compliance are there? And which merchant falls into which?

Based on the number of Visa transactions a merchant has carried out in the past 12 months, they will fall into one of four levels. The number of transactions for a merchant Doing Business As (DBA) includes all prepaid, debit, and credit card transactions. Visa acquirers have to include the volume of transactions from all DBAs if an organization has more than one name that it does business as. If the corporate entity doesn’t aggregate transaction data for more than one DBA, Visa acquirers will carry on considering only the DBA’s individual transaction volume to work out what their merchant level is.

Visa defines the four merchant levels as follows:

1) Merchants processing over 6 million Visa transactions every year including all channels or a merchant classed as a global level one merchant.

2) Merchants which process between one and six million Visa transactions per year over all channels.

3) Merchants processing over 20,000 and under one million Visa e-commerce transactions a year.

4) Only e-commerce merchants which process fewer than 20,000 Visa transactions per year.

Any merchant that has been compromised may be escalated to a higher merchant level by Visa.

What does a level 4 merchant need to do in order to comply with the PCI DSS requirements?

First, you will need to look at the following chart to work out which Self-Assessment Questionnaire (SAQ) your business must use to comply:

Add image on site

You then need to fill in the Self-Assessment Questionnaire that applies to your business.

If your business comes under the categories of A-EP, B-IP, C, D-Merchant, or D-Service Provider, you will need to pass a vulnerability scan with an Approved Scanning Vendor (ASV).

The Attestation of Compliance must be completed by a Qualified Security Assessor (QSA) or merchant to comply with the PCI DSS. This can be found in the SAQ tool.

Finally, the business must submit the Self-Assessment Questionnaire along with evidence of passing a vulnerability scan (if applicable), and The Attestation of Compliance, and any other documents requested by your acquirer.

Does the PCI DSS still apply to me even if I only accept card payments over the phone?

Absolutely. Any business that stores, processes, or transmits transaction data has to comply.

Does an organization need to be PCI compliant if it uses a third-party processor?

Still yes. The company will still need to comply with the PCI DSS even if they use a third-party processor. The only way this helps is that it may decrease risk exposure and effort to prove compliance.

If a business operates from multiple locations, do they all need to show PCI DSS compliance?

Usually validation is only required once per year for all locations if your business locations all come under the same tax ID. You must also pass and submit a scan carried out by an Approved Scanning Vendor (ASV) if required under the Self-Assessment Questionnaire.

My business only does e-commerce, which Self-Assessment Questionnaire should I use?

 This depends on which setup you use for the shopping cart section of your site. Take a look at this chart by ControlScan to work out which SAQ applies to you:

Does my business still need to comply with the PCI DSS if it doesn’t store any payment data?

Yes, PCI compliance applies to any organization that accepts credit or debit cards as a form of payment. It may be easier to comply with the PCI DSS than it is to store card data, as this always carries some level of risk.

Which cards are classed as in scope for PCI?

This includes any card that is branded with the five PCI SSC participating logos – Visa, MasterCard, JCB, Discover, and American Express. This applies regardless of whether the card is a debit, credit, or prepaid card.

I have an SSL certificate on my site, does this make me PCI compliant?

SSL certificates can’t prevent intrusions or malicious attacks, therefore they do not make a business PCI compliant. An SSL certificate secures the connection between the web server and the browser of the customer, and it shows that the owners of the website are a legitimate organization, but it does not