Frequently Asked Questions About PCI DSS Compliance
Businesses often have questions about how to make sure they are in compliance with the Payment Card Industry Data Security Standard (PCI DSS), a set of basic security standards designed to help reduce the risk of theft and fraud of customers' sensitive credit and debit card data.
Here are some of the most common PCI DSS questions and brief answers:
Q: What is PCI DSS and who does it apply to?
A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of basic security standards and procedures established by Visa®, MasterCard®, Discover® and American Express®, designed to help reduce the risk of theft and fraud of sensitive cardholder information. All businesses accepting credit and debit cards must validate their compliance with PCI DSS.
Q: If I only process a few hundred dollars a month, do I still need to be PCI DSS complaint?
A: Yes. All businesses that accept credit and debit cards must be able to prove that they are in compliance with PCI DSS. This ranges from small, single-terminal restaurants and retailers to large national chains with advanced computer networks and hundreds of thousands of payment card customers.
Q: How do I validate compliance with PCI DSS?
A: Most merchants will only need to complete a PCI DSS Self-Assessment Questionnaire (or SAQ) in order to validate compliance. Visit https://www.pcisecuritystandards.org/merchants/self_assessment_form.php for detailed guidance on the SAQ and instructions for downloading and completing the SAQ that's appropriate for your business.
However, if you use a point-of-sale POS terminal or payment processing software with Internet access, you may also need to perform a network vulnerability scan. Visit https://pnc.trustkeeper.net for more details.
Q: How do I determine if I need to perform a network vulnerability scan?
A: If you only use dial-up terminals for card processing and do not store payment data electronically, you may not need to perform a network vulnerability scan. Completing the appropriate SAQ may be sufficient.
Q: How long is my PCI DSS compliance certification valid?
A: If you only have to complete an SAQ, your PCI DSS certification is valid for one year. If you also have to perform a network vulnerability scan, your certification is good for three months, at which time you must perform another scan.
Q: What are the potential consequences of failing to validate PCI DSS compliance?
A: Card processors (like PNC Merchant Services®) are required to report the PCI DSS compliance status of their merchant customers to the Card Associations. Businesses that do not validate their compliance are subject to substantial fines if their customers' payment data is compromised--in addition to expenses associated with any fraudulent transactions that may occur. These businesses may also be stripped of their ability to accept credit and debit cards in the future.