What is the PCI DSS?
PCI DSS stands for ‘Payment Card Industry Data Security Standard’. This is a set of security requirements created by the Payment Card Industry, laying out what Merchants need to do to protect customer information. The PCI Council (which is an industry body made up of organizations like Visa, MasterCard, American Express, Discover, etc.) requires that Merchants meet this set of security requirements if their business accepts, transmits, or processes customer payment cards (such as credit cards or debit cards). Merchants that do not comply with these requirements can be penalized in a number of ways, up and including having their card-processing privileges revoked, leaving them unable to accept customer payment cards.
Get a copy of the PCI DSS.
It should be noted that this site gives Merchants additional tools and advice to help them deal with the requirements of the PCI DSS.
To whom does PCI apply?
PCI applies to ALL organizations or Merchants, regardless of size, that accept, transmit, or store any payment card information. In other words, if any customer of that organization ever pays using a credit card or debit card, then the PCI DSS requirements apply.
What if a merchant refuses to cooperate?
PCI is not, in itself, a law: the standard was put together by business organizations including Visa, MasterCard, and the other major card companies. Merchants that do not comply with PCI DSS are not necessarily breaking any law, but they are probably violating their Terms of Service or contract with their acquiring bank and the card associations. This means that the Merchant might be penalized or sued, or these companies might refuse to work with the Merchant. This would mean that the merchant would be unable to process credit or debit cards.
What does a merchant have to do in order to satisfy the PCI requirements?
To satisfy the requirements of PCI, a Merchant must do two things:
- Comply with the Data Security Standard (by meeting all of the requirements laid out in the Data Security Standard), and
- Validate their compliance. This means the Merchant must SHOW (in a manner appropriate to their size and situation) that they are complying with the Data Security Standard. For some Merchants (those with a high volume of card transactions, or with a history of security problems) validation involves on-site audits by certified professionals, but for many Merchants the primary requirements are:
- • annual completion and submission by the merchant of a PCI Self Assessment Questionnaire (the ‘SAQ’); and
- • where appropriate, undertaking a quarterly network vulnerability scan undertaken by a certified scanning company.
More information is available in the FAQ sections on Compliance and Validation.
Important: Being in Compliance does NOT automatically mean that the Merchant has met their Validation requirement (in the same way that individuals must comply with the Tax Code by paying income tax, AND validate their compliance via the use of receipts and other documents.)
What is the self-assessment questionnaire?
The Self-Assessment Questionnaire is a form that Merchants may be required to complete every year and submit to their Acquiring Bank. It was created by the PCI Council. Completing a Self-Assessment Questionnaire helps Merchants do two things:
- • Check their Compliance, by finding out for themselves if they are in compliance with the Data Security Standard; and
- • Complete part of their Validation, but giving others, such as their Acquiring Bank, evidence that they are in Compliance with the PCI Data Security Standard.
As of February 2008, there is no longer a single ‘one size fits all’ Self-Assessment Questionnaire. Merchants now need to identify which of 5 ‘Validation Type’ categories they fit into, and then complete the appropriate Self-Assessment Questionnaire for their category. For some Merchants, the appropriate Self-Assessment Questionnaire is short and simple, while for other merchants the appropriate Self-Assessment Questionnaire is long and extremely technical. Note that for all versions of the Self-Assessment Questionnaire, Merchants will only pass if they pass (or be able to say ‘Not Applicable’ to) ALL of the questions in the Questionnaire.
This web site gives Merchants access to free tools and services that make it much easier for them to identify the Self-Assessment Questionnaire that is appropriate for them, and complete it. In fact, the tools here do it for the Merchant, based on their answers to some much simpler questions that this web-site asks. Where the questions are complicated or technical, the tools provide expert assistance and guidance. Merchants also have access through this site to a variety of tools and services to help them quickly and easily solve any Compliance failures they might have.
What is the SAQ?
‘SAQ’ stands for the PCI ‘Self-Assessment Questionnaire’. See the above question and answer for more detail.
What is meant by compliance?
Being in Compliance means ‘meeting all of the requirements laid out in the Payment Card Industry Data Security Standard’. The requirements for Compliance are the same for ALL Merchants, large or small. (However, smaller Merchants typically avoid many of the Compliance problems that larger organizations face, because their systems and networks are usually simpler.)
What is meant by validation?
Validation means a Merchant’s ability to show, via standard documents and/or tests, that they are meeting the PCI DSS requirements. The different types of Merchant face different levels of Validation burden, depending on which of four levels they are assigned to. Merchants that were directed to this web-site are, at the very least, required to complete the Self-Assessment Questionnaire.
How are the different merchant levels defined?
Merchant Level 1:
- • Any Merchant that processes over 6,000,000 Visa or MasterCard transactions per year (regardless of whether the transactions are e-commerce or not), OR
- • Any Merchant that is declared to be Level 1 by any Card Association
- • Any Merchant that has suffered a security incident or attack that resulted in an account data compromise
Merchant Level 2:
Any Merchant processing 1,000,000 to 6,000,000 Visa or MasterCard transactions per year.
Merchant Level 3:
Any Merchant processing 20,000 to 1,000,000 Visa or Mastercard e-commerce transactions per year.
Merchant Level 4:
Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants processing fewer than 1,000,000 transactions per year.
What is meant by remidation?
Remediation means the process of fixing any Compliance failures. A Merchant who constructs an appropriate remediation program and completes it will be (by definition) in compliance with the PCI DSS.
Is PCI a government program? Is it law?
No: PCI is not, in itself, a law: the standard was put together by business organizations including Visa, MasterCard, and the other major card companies. Merchants that do not comply with PCI DSS are not necessarily breaking any law, but they are probably violating their Terms of Service or contract with their acquiring bank and the card associations. This means that the Merchant might be penalized or sued, or these companies might refuse to work with the Merchant. This would mean that the merchant would be unable to process credit or debit cards
Are merchants required to use the tools provided through this website to fix any compliance problems?
No: The tools provided through this web-site are offered as a low-cost convenient way to fix problems, but Merchants are free to use any remediation tools they want to fix their Compliance problems. Merchants who use other tools are then solely responsible for making sure that those tools are appropriately selected and properly implemented, and are then responsible for re-taking the Self-Assessment Questionnaire.
If a merchant does not have internet access what options do they have to complete SAQ forms?
This is a 2-part answer:
Part 1: A merchant does not need Internet access in the retail environment to complete the SAQ or to be PCI compliant. They only need Internet access during the process of completing their SAQ, and an email address to receive certificates and/or remediation response from Panoptic Security. The merchant’s ISO or agent could be a support system for the merchant in the event that no Internet access is available. The ISO can either walk the merchant through the process, using their own Internet access, or provide the merchant with a printed version of the SAQ to do manually and return to Panoptic Security through their ISO. At all times, a merchant can retrieve a complete FAQ to use as a guide through the SAQ process through the Panoptic website, or by having their ISO or agent provide them with a printed version along with the printed SAQ.
Part 2: If a merchant does not have on-site Internet access in their retail environment, their PCI compliance and security risk potential may be reduced or simplified as a result. This is not the rule, but the norm.
What is the fix-it plan?
The Fix-It Plan is something within PCI. When a merchant fails their PCI Questionnaire they are given a “Fix-It plan”. Once the steps in the Fix-It Plan are completed they become PCI compliant.