PCI DSS FAQs

Frequently Asked Questions About PCI DSS Compliance

PCI DSS FAQs

Businesses often have questions about how to make sure they are in compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of basic security standards designed to help reduce the risk of theft and fraud of customers' sensitive credit and debit card data.

Here are some of the most common PCI DSS questions and brief answers:

All businesses that accept credit and debit cards must be able to prove that they are in compliance with PCI DSS.

The Payment Card Industry Data Security Standard (PCI DSS) is a set of basic security standards and procedures established by Visa®, MasterCard®, Discover® and American Express®, designed to help reduce the risk of theft and fraud of sensitive cardholder information. All businesses accepting credit and debit cards must validate their compliance with PCI DSS.

Yes. All businesses that accept credit and debit cards must be able to prove that they are in compliance with PCI DSS. This ranges from small, single-terminal restaurants and retailers to large national chains with advanced computer networks and hundreds of thousands of payment card customers.

Most merchants will only need to complete a PCI DSS Self-Assessment Questionnaire (or SAQ) in order to validate compliance. Visit https://www.pcisecuritystandards.org/document_library for detailed guidance on the SAQ and instructions for downloading and completing the SAQ that's appropriate for your business.

If you only use dial-up terminals for card processing and do not store payment data electronically, you may not need to perform a network vulnerability scan. Completing the appropriate SAQ may be sufficient.

If you only have to complete an SAQ, your PCI DSS certification is valid for one year. If you also have to perform a network vulnerability scan, your certification is good for three months, at which time you must perform another scan.

Card processors (like PNC Merchant Services®) are required to report the PCI DSS compliance status of their merchant customers to the Card Associations. Businesses that do not validate their compliance are subject to substantial fines if their customers' payment data is compromised – in addition to expenses associated with any fraudulent transactions that may occur. These businesses may also be stripped of their ability to accept credit and debit cards in the future.