SecureConnect Logo
Phone: 888-949-7328 | mySecureConnect Login
 

Content on this page requires a newer version of Adobe Flash Player.

Get Adobe Flash player
pci-compliance.jpg

PCI Compliance FAQs

1. What is PCI?
2. Who has to comply?
3. What is the process to use the PCI Compliance Service for certification?
4. How often do I need to scan?
5. Who needs to complete the self-assessment questionnaire?
6. I’m a small merchant who only takes a handful of cards, so I don’t need PCI.
7. PCI only applies to e-commerce companies.
8. You only have to be compliant with the majority of criteria.
9. I only need to protect my credit card data, not ATM debit card related data.
10. I can wait until my business grows.
11. I can just answer, “yes” to all the criteria on the Self-Assessment Questionnaire.
12. I can wait until my bank asks me to be compliant.
13. As a merchant, I did not sign anything saying I would be compliant; therefore, I do not need to be.
14. As a merchant, I’m entitled to store any data.
15. What is an Approved Scanning Vendor?
16. What are the certification levels and what do they mean?
17. Who needs to get external auditors for certification?
18. What is the difference between a Qualified Security Assessor and an Approved Scanning Vendor?
19. How does the PCI Compliance Service help me to get certified?
20. What is an Attestation of Compliance?

Q: What is PCI?

A: The term PCI stands for Payment Card Industry.  When PCI is referred to, it is actually referencing the Payment Card Industry Data Security Standard (PCI DSS). It was developed by the major credit card companies as a guideline to help organizations that store, process or transmit cardholder data in to prevent credit card fraud, cracking and various other security vulnerabilities and threats.  A company processing, storing, or transmitting payment card data must be PCI DSS compliant or risk losing their ability to process credit card payments and being audited and/or fined. The current version of the standard (1.1) specifies 12 requirements for compliance, organized into six related groups, which are called "control objectives."

Q: Who has to comply?

A: The Payment Card Industry Data Security Standard (PCI DSS) applies to any organization that processes credit or debit card information, including merchants and third-party service providers that store, process or transmit credit card/debit card data. Since the end of 2007, any organization that accepts payment card transactions must be in compliance with the standards.

However, according to the PCI DSS documentation, "PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed or transmitted. If a PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply."  

Credit card companies and acquirer banks can levy stiff fines and remove the merchant's ability to process credit card transactions until the merchant is PCI compliant.   Basic functions such as email and employee Internet access may result in the Internet-accessibility of a company's network. These seemingly insignificant paths to and from the Internet can provide unprotected pathways into merchant and service provider systems and can potentially expose cardholder data if not properly controlled.

Q: What is the process to use the PCI Compliance Service for certification?

A: Contact SecureConnect at 888-949-SECURE to learn more about the certification process.

Q: How often do I need to scan

A:  To demonstrate compliance with the PCI Data Security Standard, merchants and service providers may be required to validate and conduct a network security scan on a regular basis as defined by the PCI Security Standards Council. Network Security Scans are an indispensable tool to be used in conjunction with a vulnerability management program. Scans help identify vulnerabilities and mis-configurations of Websites and IT infrastructures containing externally facing IP addresses. Scan results provide valuable information that support efficient patch management and other security measures that improve protection against Internet hacking.

Depending on your validation category, network security scans may be required every 90 days by an approved PCI scanning vendor. SecureConnect is an approved PCI scanning vendor.  For more information, consult the payment brands or your acquiring bank.  

Q: Who needs to complete the self-assessment questionnaire?

A: Your acquiring bank can confirm, but typically all level 2, 3, and 4 merchants and service providers must complete a PCI Self-Assessment Questionnaire on an annual basis.

Q: I’m a small merchant who only takes a handful of cards, so I don’t need PCI.

A: This is a common misunderstanding with the standard is that small merchants handling only a few credit cards a day are exempt from compliance. If you are a merchant and are set up to take credit cards by any mechanism - then you need to be compliant.

Q: PCI only applies to e-commerce companies.

A: No, PCI applies to every company that stores, processes or transmits cardholder information. In fact anyone who takes card present transactions that involve POS devices are typically more at risk than e-commerce solutions. Quite often these types of transactions involve storage of track data (which is forbidden under PCI). Compromise of this type of data may bring heavy fines and requests for compensation from the banks involved.

Q: You only have to be compliant with the majority of criteria.

A: The pass mark for PCI is 100%, so if you fail even one of the criteria, you are not in compliance with PCI. The standard is not meant to be something to strive for; it is essentially a floor, a basis for further security measures. Failing to achieve even one of the requirements, is failing to meet a basic standard for handling cardholder information. All companies that routinely handle this type of data should be aiming to exceed the standard.

Q: I only need to protect my credit card data, not ATM debit card related data.

A: Incorrect - both are required. Many debit cards are dual-purpose “signature debit,” which can be used on debit and credit card networks. As such, they are covered under PCI and must be protected in the same way as credit cards.

Q: I can wait until my business grows.

A: Incorrect. The PCI standard applies to all sizes of business and waiting could be costly. Should you be compromised and not be compliant, the fines and the compensation requirements by the banks (it typically costs between $50 and $90 to replace one card) could be substantial.

Q: I can just answer, “yes” to all the criteria on the Self-Assessment Questionnaire.

A: The Self-Assessment Questionnaire is a mechanism for getting the information about the level of your compliance to your merchant bank or to Visa. The standard applies at all times. Just saying yes to the questions puts you at great risk. If a compromise took place and it was obvious that you were not and have never been compliant, the matter would be taken very seriously by VISA. You would be risking your whole business by answering “yes” to the questions, when there is no factual basis for the answers.

Q: I can wait until my bank asks me to be compliant.

A: The dates for merchants to be in compliance are long gone. You are responsible for making sure you are in compliance. Waiting until the bank asks you could be very costly indeed.

Q: As a merchant, I did not sign anything saying I would be compliant; therefore, I do not need to be.

A: The PCI standard forms part of the operating regulations that are the rules under which merchants are allowed to operate merchant accounts. The regulations signed when you open an account at the bank state that the VISA regulations have to be adhered to. Even if you have been in business for decades, PCI still applies if you store, process or transmit credit cards.

Q: As a merchant, I’m entitled to store any data.

A: Many merchants believe that they own the customer and have a right to store all the data about that customer in order to help their business. Not only is this incorrect regarding PCI, it may also be a violation of State and Federal legislation regarding privacy. The PCI regulations specifically forbid storing of any of the following:

  • Unencrypted credit card number
  • CVV or CVV2
  • Pin blocks
  • PIN numbers
  • Track 1 or 2 data
  • Any of the above found in databases, log files, audit trails, backups etc. at a merchant can result in serious consequences for the Merchant, especially if a compromise has taken place.

Q: What is an Approved Scanning Vendor?

A: All PCI scans must be conducted by a third party compliant network security scanning vendor, selected from the list of approved vendors at PCI Security Standards. All compliant scanning vendors are required to conduct scans in accordance with a defined set of procedures. These procedures dictate that the normal operation of the customer environment is not to be impacted and that the vendor should never penetrate or alter the customer environment.

Q: What are the certification levels and what do they mean?

A: Information about merchant levels and service provider levels can be found at PCI Security Standards.

Q: Who needs to get external auditors for certification?

A: External auditors are required for annual audits of level 1 merchants and level 1 & 2 service providers. More information can be found at PCI Security Standards.

Q: What is the difference between a Qualified Security Assessor and an Approved Scanning Vendor?

A: Qualified Security Assessors (QSA) are authorized to perform annual audits for merchants and service providers to document compliance with PCI. Approved Scanning Vendors (ASV) are authorized to perform the quarterly scans to show compliance with the PCI Data Security Standard. Several qualified security assessors incorporate approved scanning vendors into their solution.

Q: How does the PCI Compliance Service help me to get certified?

A: Our company is certified as a PCI security scanning vendor to help merchants and their consultants achieve compliance with the PCI Data Security Standard. The PCI Compliance Service is an on demand compliance testing and reporting service. Using the service, merchants can run PCI compliance scans, complete PCI Self-Assessment Questionnaires and submit compliance reports directly to acquiring banks. Our on demand delivery model makes the PCI Compliance Service available anytime from any browser, without software to install or maintain.

Q: What is an Attestation of Compliance?

A: The Attestation is your certification that you have performed the appropriate Self-Assessment Questionnaire and attest to your organization’s compliance status with the PCI DSS.

For updated content on the recently launched Self-Assessment Questionnaire, click here.

 

Useful Links

Case Studies
Breach Protection
Comprehensive, Managed Security
PCI Approved Scanning Vendor
Risk Management & Brand Protection
SecureConnect Packages

Free Pci Consultation

 

 
 
 
Learn More
Why SecureConnect
 Packages
 Managed Firewall
 PCI Compliance
 Archived Webinars
 SecureConnect Blog
 Case Studies
 FAQs

 SecureConnect Scoop
About Us
 Approved Scanning Vendor
 Careers
 Press Releases
 Terms of Use
 Privacy Policy
 Site Map
 		Next Steps
Send Informational Packet
 Get a Free PCI Scan
 Receive Communications from us
 Request a Free PCI Consultation
 Launch the PCI Wizard
 Email Us
 Sign Up
 mySecureConnect Login
 Call Direct: 888.949.7328

 Follow SecureConnect
Follow us with RSS feed Subscribe to our RSS feed
Follow us on Twitter Follow us on Twitter
Follow us on Facebook Become a Facebook fan
Follow us on Facebook See our events on Flickr
Visit our profile on Linkedin Join us on Linkedin
© 2010 BHI Advanced Internet, Inc. Provider of SecureConnect®. All Rights Reserved.