PCI Compliance - What does it mean for me?
As a stakeholder in the Payment Card Industry (PCI), and the primary contact for our customers who process
electronic payments, it is in our collective interest to provide our merchants with timely information regarding PCI compliance and guidelines. Every merchant that accepts or processes payment cards must comply with PCI DSS requirements. PCI is often misunderstood and can become very confusing. The primary goal of PCI is to protect cardholder information. With this is mind, please contact us to learn how we can work together with you to insure you are meeting PCI requirements.
These requirements include the following 12 items outlined below:
The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process. PCI security standards are technical and operational requirements set by the Payment Card Industry Security Standards Council to protect cardholder data. Compliance with the PCI set of standards is mandatory for their respective stakeholders, and is enforced by the major payment card brands who established the Council: American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.
RESOURCES
- Website of the PCI Security Standards Council - https://www.pcisecuritystandards.org/
- PCI Glossary of Terms & Definitions PDF - PCI Glossary
- PCI Quick Reference Guide PDF - PCI Ref Guide
- PCI SAQ Guielines PDF - PCI SAQ
PCI FAQs
The following Frequently Asked Questions regarding PCI are the most common questions we receive regarding compliance. The source of this information is the PCI SSC website. For additional information, please visit them at: https://www.pcisecuritystandards.org/.
Q: Where can I find the PCI Data Security Standards (PCI DSS)?
A: The Standard can be found on the PCI SSC's Website:
https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
Q: | What does a small-to-medium sized business (Level 4 merchant) have to do in order to satisfy the PCI requirements? |
A: To satisfy the requirements of PCI, a merchant must complete the following steps:
- Identify your Validation Type as defined by PCI DSS – see below . This is used to determine which Self Assessment Questionnaire is appropriate for your business.
- Complete the Self-Assessment Questionnaire according to the instructions in the Self- Assessment Questionnaire Instructions and Guidelines.
- Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV). Note scanning does not apply to all merchants. It is required for Validation Type 4 and 5 – those merchants with external facing IP addresses. Basically if you electronically store cardholder information or if your processing systems have any internet connectivity, a quarterly scan by an approved scanning vendor is required.
- Complete the relevant Attestation of Compliance in its entirety (located in the SAQ tool).
- Submit the SAQ, evidence of a passing scan (if applicable), and the Attestation of Compliance, along with any other requested documentation, to your acquirer.
- I’m a small merchant with very few card transactions; do I need to be compliant with PCI DSS?
All merchants, small or large, need to be PCI compliant. The payment brands have collectively adopted PCI DSS as the requirement for organizations that process, store or transmit payment cardholder data.
Q: If I only accept credit cards over the phone, does PCI still apply to me?
A: Yes. All business that store, process or transmit payment cardholder data must be PCI Compliant.
Q: Are debit card transactions in scope for PCI?
A: In-scope cards include any debit, credit, and pre-paid cards branded with one of the five card association/brand logos that participate in the PCI SSC - American Express, Discover, JCB, MasterCard, and Visa International.
Q: What are the penalties for noncompliance?
A: The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on downstream till it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can catastrophic to a small business.
It is important to be familiar with your merchant account agreement, which should outline your exposure.
Q: What is defined as ‘cardholder data’?
A: Cardholder data is any personally identifiable data associated with a cardholder. This could be an account number, expiration date, name, address, social security number, etc. All personally identifiable information associated with the cardholder that is stored, processed, or transmitted is also considered cardholder data.
Q: What is the definition of ‘merchant’?
A: For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers
Q: Can the full credit card number be printed on the consumer’s copy of the receipt?
A: PCI DSS requirement 3.3 states "Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed).” While the requirement does not prohibit printing of the full card number or expiry date on receipts (either the merchant copy or the consumer copy), please note that PCI DSS does not override any other laws that legislate what can be printed on receipts (such as the U.S. Fair and Accurate Credit Transactions Act (FACTA) or any other applicable laws). See the italicized note under PCI DSS requirement 3.3 “Note: This requirement does not apply to employees and other parties with a specific need to see the full PAN, nor does the requirement supersede stricter requirements in place for displays of cardholder data (for example, for point of sale (POS) receipts).” Any paper receipts stored by merchants must adhere to the PCI DSS, especially requirement 9 regarding physical security.
Q: What if a merchant refuses to cooperate?
A: PCI is not, in itself, a law. The standard was created by the major card brands such as Visa, MasterCard, Discover, AMEX, and JCB. At their acquirers/service providers discretion, merchants that do not comply with PCI DSS may be subject to fines, card replacement costs, costly forensic audits, brand damage, etc., should a breach event occur.
For a little upfront effort and cost to comply with PCI, you greatly help reduce your risk from facing these extremely unpleasant and costly consequences.
Q: Do states have laws that requiring data breach notifications to the affected parties?
A: Absolutely. California is the catalyst for reporting data breaches to affected parties. The state implemented breach notification law in 2003 and there are now over 38 states that have similar laws in place. See www.privacyrights.org for more detail on state laws.
