Guest Blog Writer: George Mateaki (CISSP, CISA, QSA, PA-QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.

George Mateaki

As you might expect, we get a lot of questions about PCI DSS Compliance. Here are the answers to your most frequently asked questions!

What is PCI compliance?

The Payment Card Industry Data Security Standard (PCI DSS) was established in 2006 by the major card brands (i.e., Visa, MasterCard, American Express, Discover Financial Services, JCB International). 

All businesses that accept, process, store or transmit payment cardholder data are required to implement this standard to maintain a secure environment. Your card-handling practices and processing environment determine which PCI DSS requirements apply to your business.

What is PCI validation?

The Payment Card Industry Security Standards Council (PCI SSC) mandates that all merchants comply with the PCI standard. Annual validation (or proof) is mandated by the major card brands and is a way of documenting your compliance. Validation requirements vary based upon annual payment card transactions and may require a self-assessment or independent onsite audit.

Who is required to become PCI-compliant?

Any organization that accept, process, store or transmit payment card information are required to comply with the PCI DSS.

Is PCI compliance required by law?

The government does not regulate PCI*; however, when you signed your payment card contract—confirming your desire to accept credit and debit cards at your business—you agreed to follow card brand rules. If you choose to accept Visa, MasterCard, JCB, American Express or Discover, you must comply with the PCI DSS.

*Note: Some states–including Nevada, Minnesota, and Washington–have incorporated PCI DSS compliance into their state laws.

What happens if I don't become PCI-compliant?

If you are not PCI compliant, you are more vulnerable to data compromise and may also be fined by merchant service providers and/or ISOs and the card brands for not validating PCI compliance.

I only process a few cards a year. Do I still need to be PCI-compliant?

Yes. Even if you only process one transaction per year, you must implement the PCI DSS in your processing environment.

What is required to become PCI-compliant?

Typical steps for merchants to become PCI DSS compliant include, but are not limited to:

  • Determining your PCI DSS validation type (this informs your requirements)
  • Addressing all requirements found in your Self-Assessment Questionnaire (SAQ) (e.g., external vulnerability scans, penetration tests, employee training)
  • Attesting to your compliance annually
  • Completing and reporting quarterly results of all scans performed by an Approved Scanning Vendor (ASV)

What is the most current version of the PCI DSS?

The PCI SCC recently released PCI DSS version 3.2.1. It replaces 3.2 to add clarification to existing requirements. PCI DSS version 3.2.1 goes into full effect starting on January 1, 2019.

Which Self-Assessment Questionnaire (SAQ) am I supposed to complete?

Ultimately, you must choose the SAQ that’s right for your processing environment, but generally speaking:

  • SAQ A is for e-commerce/mail/telephone-order (card-not-present) merchants that have fully outsourced all cardholder data functions. No electronic storage, processing or transmission of any cardholder data on the merchant’s systems or premises.
  • SAQ A-EP is for e-commerce-only merchants that use a third-party service provider to handle their card information, and who have a website that doesn’t handle card data, but could impact the security of the payment transaction. No electronic storage, processing or transmission of any cardholder data on the merchant’s systems or premises.
  • SAQ B is for merchants that use imprint machines and/or standalone, dial-out terminals, and have no electronic cardholder data storage. Not for e-commerce.
  • SAQ B-IP is for merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, and that have no electronic cardholder data storage. It's not for e-commerce.
  • SAQ C-VT is for merchants that use a virtual terminal on one computer dedicated solely to card processing. There is no electronic cardholder data storage. It's not for e-commerce.
  • SAQ C is for any merchant with a payment application connected to the Internet, but there is no electronic cardholder data storage.
  •  SAQ D for Merchants is for merchants that DO store credit card data electronically.

What is a PCI compliance certificate?

Some QSA/ASV companies provide certificates confirming that an organization is PCI DSS compliant. An actual compliance certificate is not mandatory, and you don’t necessarily need a certificate to be PCI-compliant.

Am I PCI-compliant if my site has an SSL/TLS certificate?

Unfortunately, no. An SSL/TLS certificate is an important element in a secure website, but alone does not meet PCI DSS requirements.

Who enforces PCI compliance?

Generally speaking, merchant banks enforce PCI DSS compliance. The PCI SSC was formed in 2006 by the major card brands (e.g., Visa, MasterCard, American Express, Discover Financial Services, JCB International) to regulate, maintain, evolve and promote PCI DSS compliance.

What should I do if I think my business has been compromised?

Disconnect your system from the Internet, call SecurityMetrics or your services provider, and call a forensic investigator. PCI forensic investigators help you find and fix the security holes in your processing environment. They help you identify how and when attackers breached your systems, determine if card data was compromised, and document your efforts to remediate the vulnerabilities that led to the data breach for the card brands.

What is SecurityMetrics' role in PCI compliance?

Authorize.Net partnered with SecurityMetrics to help our merchants validate compliance and implement the PCI DSS. SecurityMetrics is an Approved Scanning Vendor and is certified to perform PCI scans, onsite PCI audits, payment application software audits, point-of-sale terminal security audits, penetration tests, and forensic analysis (to assess card data compromises).

SecurityMetrics QSAs & experts hold certifications like:

  • Certified Information Systems Security Professional (CISSP)
  • Certified Information Systems Auditor (CISA)
  • PCI Forensic Investigator (PFI)
  • Approved Scanning Vendor (ASV)
  • Qualified Security Assessor (QSA)
  • Payment Application Qualified Security Assessor (PA-QSA)
  • Point-to-Point Encryption Qualified Security Assessor (P2PE QSA)
  • HealthCare Information Security and Privacy Practitioner (HCISPP)

How do I get started with SecurityMetrics?

If you haven’t created an account yet, create one here and a PCI expert from SecurityMetrics will contact you to ensure the correct standards are applied to your account. If you have already created an account with SecurityMetrics,  log in to your account and begin the process of becoming PCI compliant. Start by going through each section of the SAQ.

This post is for informational purposes only and does not constitute legal advice or other professional advice or an opinion of any kind.