PCI COMPLIANCE FAQ

Q1: What is PCI?

Generally (PCI DSS) which basically stand for Payment Card Industry data Security Standard. PCI DSS is the set of security standards to ensure that all companies maintain a secure environment. Additionally all companies regarding this form of security accept, process, store or transmit credit card information.

Besides that, PCI SSC which in other words stands for Payment Card Industry Security Standards Council. Additionally this PCI SSC was launched on September 7, 2006 to manage the ongoing evolution of the payment card industry security standards. Basically, this was done with a focus of improving payment account throughout the transition process.

PCI SSC have a reading administrative role that manages this security sector known PCI DSS. Chiefly this body was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB).most importantly the payment brands and acquires are responsible for enforcing compliance, not the PCI council.

Q2: PCI DSS apply to.

Evidently PCI DSS applies to any organization, regardless of or number of transactions that accepts, transmit or stores any cardholder data.

Q3: Where can I find the PCI Data Security Standard (PCI DSS)?

Meanwhile the current PCI DSS documents can be found on the PCI Security Standards council website.

Q4: What are the PCI compliance ‘levels’ and how are they determined?

Basically all merchants end up falling into a one of the four merchant levels based on visa transaction. Occasionally this volumes of transaction fall for a period of 12-months.beside this all the volume transactions are based on the aggregated number of the visa transactions. This is according to the following scenario’s  (inclusive of credit ,debit and period).lastly this all follows on merchants doing business as(‘DBA’).generally In cases where the merchant chiefly corporate has more than one DBA, According to standards the visa requires must consider entity to determine the validation levels. Meanwhile this happens when or if data is not aggregated. Therefore for this to happen the corporate entity does not store, process or transmit cardholder data on behalf of multiple DBAS. Actually the acquires will continues to consider the DBAS individually transaction volume to determine validation level.

These are the most important levels as defined by Visa.

To begin with, any merchant on merchant level one, regardless of acceptance channel. He can chiefly can visa at its sole discretion. Beside that the merchant due process over 6m Visa transactions per year.  Additionally this determines should meet the level 1 merchant requirements to minimize risk to the visa system.

Secondly any merchant on merchant lvel two regardless of acceptance channel. He or she can process 1M to 6M Visa translations per year.

Thirdly, any merchant at level three do process visa from 20,000 to 1M basically for e-commerce transactions per year.

Lastly, any merchant at merchant level four has evidently shown fewer than 20,000 Visa e-commerce transactions per year. Additionally all other merchants regardless of acceptance channel chiefly process up to 1M Visa transactions per year.

Therefore, in conclusion according to merchant visa transaction ,its evidently clear that any merchant this has suffered a breach that resulted in an account data compromise, because of he/she may be escalated Accordingly even to a higher validation.

Q5: When the PCI DSS requirements are satisfied what has to be done by a small-to-medium sized business (level 4 merchant)?

There are steps followed in order to satisfy PCI requirements:

Significantly to determine which self-assessment Questionnaires (SAQ) your business should use to validate compliance.

Q6: Taking credit by phone normally work with PCI. How does it happen?

To understand how this happens, use the link provided below:

https://www.pcicomplianceguide.org/how-does-taking-credit-cards-by-phone-work-with-pci/?sessionGUID=dc1c3ded-91ac-a7de-5a2c-6e405a3305a3&sessionGUID=c22d1216-e49e-870a-ec1e-75081b4c7550&webSyncID=855801bd-cc64-7894-5abb-558e301b3c39&sessionGUID=75026e73-9622-dbbc-0d9e-ae3026788eb5

Q7: What happens when one accept credit over the phone.

Generally these what happens, all business do store, process or transmit payment cardholder data that must be a PCI compliant.

Q8: Are third party processors used by organizations have to have PCI DSS compliant?

Evidently it true, this is because using a third party company does not exclude a company from PCI DSS compliance. Additionally it may cut down on the risk exposure and consequently reduce the effort to validate compliance.

Q9: Considering that by business has multiple locations.is PCI Compliance validated on each location?

Precisely if a business location process under the same TAX ID, then ideally one is expected to only do validation once annually for all locations. additionally this should involve passing network scans by an PCI SSC Approved scanning vendor(ASV) for each location if applicable.

Q10: Which SAQ should be used when only doing e-commerce?

See the following that explained the basic idea of setting up the shopping cart.

 

Q11: If my PCI doesn’t store credit card data, does it mean that it’s not applicable?

Basically if you approve the credit or debit cards as a form of payment, evidently the PCI compliance applies to you. Additionally the storage of card data is risky, so if you therefore store card data and beside that the storage becomes secure and compliant may be easier.

Q12: Are debit card transactions in scope for PCI?

Most importantly the in scope cards include any debit and pre-paid cards branded with one of the five card association/brand logos that participate in the PCI SSC-American Express, Discover JCB, Master Card and Visa International.

Q13: Am I PCI compliant if I have an SSL certificate?

Accordingly no SSL certificates do not secure a web server from malicious attacks or intrusions. Generally there is assurance that SSL certificate provide the first tier of customer security. Additionally there is reassurance such as the below, beside that there are other steps to achieve PCI compliance. Follow the this link to learn more.

Q14: My Company wants to store credit card data. What methods can we use?

Basically most merchant who need to store credit card are occasionally doing that in order to recur billing. Therefore the best way to store the credit card data for recurring billing is evidently by utilizing a third party credit card or other side the tokenization provider.

See more here.

Q15: What are the penalties for non-compliance?

It is evident that there charges attached to any violation of the set standards. Meanwhile the fine acquiring for the bank is$50,000 to $100,000 per month for PCI compliance.

Q16: What is defined as ‘cardholder data’?

Basically the actual set that define cardholder is the PCI security Standards Council (SSC).Additionally the full primary Account Number (PAN) or the full PAN along with any of the following elements. Card name, expiration date and lastly the service code.

Q17: Define Merchant.

Beside other definitions there is one that is the most significant one because it explains the ideal purpose of the PCI DSS. Importantly the merchant is any entity that accepts payment cards bearing the logos of any of the members of PCI SSC. Additionally this members are five and they include (American Express, Discover, and JCB, MasterCard or visa) significantly as payment for goods and /or services.

Q18: constituent of a Service Provider?

Generally the following are the thought as defined by PCI SSC. Therefore service provider constitute the business entity. Additionally this entity directly involved in the processing, storage, or transmission of cardholder data. To learn more of data cardholder click here

Meanwhile you need to learn how to achieve compliance as a service provider from here.

Q19: What constitutes a payment application?

Evidently this what constitute a payment application: the ability to store, process or transmit card data electronically. Additionally this means that anything from the point of sale system to e-commerce shopping cart. Beside that all of this are classified as payment application.

Q20: What is a payment gateway?

Generally payment gateways connect a merchant to the bank or processor that is acting as the front-end connection to the card brand.

Q21: What is PA-DSS?

Precisely this is the payment application data security standard maintained by the PCI Security Standards Council (SSC).this is done significantly to address the critical issues of the payment application security.

For more click here.

Q22: can printing of a full credit card number be applied on the consumer’s copy of the receipt?

Evidently PCI DSS requirement 3.3 states chiefly mask PAN can be displayed. Importantly this happen when the first six and last four digits are the maximum number of digits to be displayed. Additionally when the requirement does not prohibit printing of the full card number or expiry date on receipts. Significantly PCI DSS does not override any other laws that legislate what can be painted on receipts or any other applicable laws.

Q23: Is validating compliance vulnerable?

Most importantly when one qualifies for certain self-assessment Questionnaires (SAQs) and electronically store cardholder’s data post authorization. Precisely the scan is done by PCI SSC Approved Scanning Vendor (ASV) to maintain compliance.

Q24: How can you define vulnerability scan?

Generally vulnerability scan involves an automated tool that checks a merchant. Additionally checks a service providers system for vulnerabilities. Significantly the scan tool will conduct a non-intrusive scan to remotely review networks and web applications based on the external-facing internet protocol (IP) addresses provided by the merchant or services provider.

Q25: How often do I have to have a vulnerability scan?

Precisely every 90 days/once per quarter. Generally those who fit the above criteria are required to submit a passing scan. Additionally merchant and service providers should submit compliance documentation accordingly. Most importantly the timetable determined by their acquirer.

Q26: What if my business refuses to cooperate?

Chiefly PCI is bot itself a law. On the other side the standard were a created by the major card brands Visa, MasterCard, Discover, Amex and JCB. Additionally at PCI its acquirers’/service providers’ discretion, merchants that do not comply with PCI DSS may be subject to fines. Latly card replacement costs, costly forensic audits, brand damages.

Q27: Is someone is running a business from home is he/she a serious target for hackers?

Chiefly it a Yes, Therefore Home users are arguably the most vulnerable simply because they are usually not well protected. Besides that adopting of a path of least resistance model accordingly knowing that intruders will often zero-in on home users-often exploiting their always-on broadband connections. Additionally typical home use a programs such as chat, Internet games and P2P file sharing applications.

Q28: What should I do if I’m compromised?

Most importantly while many payment card data breaches are easily preventable. Afterwards they can do still happened to business of all sizes.

Additionally if your small- or mid-sized business has discovered it’s been breached accordingly there are many good resources to help you with next steps.

Q29:  Do states have laws requiring data breach notifications to the affected parties?

Absolutely. Evidently California is the catalyst data breach notifications to the affected parties, additionally the state implemented its breach notification law in 2003 and now nearly state has a similar law in place.

 

Leave a Reply

Your email address will not be published. Required fields are marked *