Common PCI Questions

1. What is the PCI DSS?
2. Am I obligated to comply with the PCI DSS?
3. Who in the organization is responsible for PCI compliance?
4. What if I only process a small amount of credit card transactions each year, do I still have to comply?
5. Do I only have to be compliant with the majority of criteria?
6. What are the potential consequences of non-compliance?
7. Who is at the greatest risk of a data breach?
8. How can I implement the necessary steps in my business to minimize the risk of a security breach and ensure PCI compliance?
9. How do I report my compliance?
10. What is the difference between a Qualified Security Assessor and an Approved Scanning Vendor?
11. Can’t I wait until my acquirer/credit card processor asks me to be compliant?
12. What is an Approved Scanning Vendor?
13. What is an Attestation of Compliance?
14. PCI compliance is just about technology, right?
15. Is there a vendor that can provide a solution to help franchisees with PCI compliance?

1. What is the PCI DSS?

The PCI DSS, or Payment Card Industry Data Security Standard, was founded by the major credit card brands to enhance payment account data security. The PCI guidelines are here to help you minimize your risk of losing cardholder data and becoming breached.

2. Am I obligated to comply with the PCI DSS?

Yes, PCI requirements apply to every merchant that stores, processes or transmits credit or debit card information. Businesses must adhere to the PCI DSS at ALL times per their Merchant Agreement or risk potential consequences.

3. Who in the organization is responsible for PCI compliance?

The business owner is ultimately responsible (and 100% liable) for ensuring PCI compliance within the business. As the risk owner, they have a fiduciary and legal obligation to protect cardholder data within the business.

4. What if I only process a small amount of credit card transactions each year, do I still have to comply?

Although, this is a common misunderstanding with the standard, if you are a merchant and accept any type of payment card (credit, debit, gift cards, etc.) - then you need to become compliant.

5. Do I only have to be compliant with the majority of criteria?

Unfortunately, to become and remain compliant, you must be able to pass every requirement. Failing even one of the criteria, means you are not in compliance with PCI and are at risk to all of the costly consequences.

6. What are the potential consequences of non-compliance?

There are many costly consequences such as…

Risk of fines, fees and penalties - the average loss per record is approximately $204 and the cost to the business owner can easily run over a million dollars
Risk losing the ability to process payment cards
Negative PR – risk damaging your brand reputation
Lawsuits
Loss of business – over 60% of customers will not return to a restaurant that has suffered a breach

Back to Top

7. Who is at the greatest risk of a data breach?

While any company that isn’t compliant is at risk, payment card breaches occur 2 out of 3 times in the food service industry. Smaller merchants are at the greatest risk because they are less likely to have the proper security measures to protect their customers and their business.

8. How can I implement the necessary steps in my business to minimize the risk of a security breach and ensure PCI compliance?

The first step in creating a proactive security environment is to create an Information Security Policy (ISP). An ISP, which provides guidelines and procedures to protect payment card data, is essential to keep your organization safe and compliant. For more steps to PCI compliance, click here.

9. How do I report my compliance?

The Self-Assessment Questionnaire (SAQ) is a validation tool put out by the PCI SSC and is intended to assist merchants in self-evaluating their compliance with the PCI DSS (and should be completed if not required to complete a Report on Compliance). There are multiple versions of the SAQ to address various payment processing scenarios. To determine your validation level, click here.

10. Is there a vendor that can provide a solution to help franchisees with PCI compliance?

Qualified Security Assessors (QSA) are authorized to perform annual audits for merchants and service providers to document compliance with PCI. Approved Scanning Vendors (ASV) are authorized to perform the external quarterly vulnerability scans to show compliance with requirement 11.2 of the PCI Data Security Standard.

11. Can’t I wait until my acquirer/credit card processor asks me to be compliant?

The compliance deadlines are long past. As the merchant, you are responsible for making sure you are in compliance today. Waiting until the acquirer/credit card processor asks you could be very costly indeed.

12. What is an Approved Scanning Vendor?

An Approved Scanning Vendor (ASV) is a security scanning vendor, certified by the Payment Card Industry Security Standards Council. Only an ASV, like SecureConnect, can provide the quarterly vulnerability scans needed for compliance.

13. What is an Attestation of Compliance?

The Attestation is your certification that you have performed the appropriate Self-Assessment Questionnaire and attest to your organization’s compliance status with the PCI DSS.

14. PCI compliance is just about technology, right?

No! PCI Compliance is an overall business issue – so everyone needs to be aware of their role. All it takes is one employee that is not careful with a customer’s credit card or downloads a virus onto the back office computer without knowing it and a hacker could take advantage of that opportunity to access confidential information.

15. Is there a vendor that can provide a solution to help franchisees with PCI compliance?

Yes! PCI compliance can be a difficult process with several technical components. With the SecureConnect PCI packages, merchants are presented with a comprehensive, turn-key solution to protect the payment card environment and maintain PCI compliance, all at a cost-effective price.