Understanding PCI Compliance

What is the PCI SAQ?

Filling out a Self Assessment Questionnaire [SAQ] is a yearly requirement for all merchants. But knowing which SAQ to fill out and filling it out is not easy. The questions are complicated, technical and there are lots of sections to read and understand.

Our Customer Service will be happy to guide you through the process of completing your Self Assessment Questionnaire.


TOP TWELVE FAQs on PCI Compliance and Standards:

Q: What is PCI?

A: The Payment Card Industry (PCI) Data Security Standard details security requirements for members, merchants and service providers that store, process or transmit cardholder data. To demonstrate compliance with the PCI Data Security Standard, merchants and service providers may be required to validate and conduct a network security scan on a regular basis as defined by the PCI Security Standards Council.

The PCI Data Security Standard (PCI DSS) originally began as five different programs from the five credit card schemes. Each company's intentions were loosely similar: to create an additional level of protection for consumers by ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data. Although the intentions of these five programs were similar, their standards often conflicted. This created unreasonable burden – and increased security risk – for merchants.

The Payment Card Industry Security Standards Council (PCI SSC) was formed as a neutral body to address conflicts among the credit card schemes in developing a standard. On December 15, 2004, the credit card schemes aligned their individual policies and released the Payment Card Industry Data Security Standard (PCI DSS).

First, a Self-Assessment Questionnaire must be completed on an annual basis. During the spring of 2008 a new SAQ was launched and was re-designed to make the questions more relevant to what merchants do. There are now four parts. The part that best matches what a company does determines the number of questions that need to be answered, as well as whether quarterly vulnerability scanning is required. Companies are required to attest to the truthfulness and accuracy of their responses on the SAQ.

For those required to complete quarterly vulnerability scanning: Vulnerability scanning is an indispensable tool used in conjunction with a vulnerability management program. Scans help identify vulnerabilities and misconfigurations of Websites and IT infrastructures containing externally facing IP addresses.

Scan results provide valuable information that support efficient patch management and other security measures that improve protection against Internet hacking.

Q: Who is required to comply?

A: If you are a merchant and accept credit cards you must validate PCI compliance at least annually. There is no way around this. Network Security Scans are required of all merchants and service providers with external-facing IP addresses that collect, process or transmit payment account information. However, even if an entity does not offer Web-based transactions, there may be other services that make systems Internet accessible. Basic functions such as email and employee Internet access may result in the Internet-accessibility of a company's network. These seemingly insignificant paths to and from the Internet can provide unprotected pathways into merchant and service provider systems and can potentially expose cardholder data if not properly controlled.

Q: What are the certification levels and what do they mean?

Level 1: Greater than 6 million credit card transactions per year or ANY business that has succumbed to a data breach or any business deemed by card associations.

Level 2: Any merchant processes more than 1 million transactions regardless of channel.

Level 3: Any merchant who processes more than 20,000 online transactions per year.

Level 4: Less than 20,000 e-commerce transactions or 1 million total transactions per year.

Q: I'm a small merchant who only takes a handful of cards, so I don't need PCI, right?

A: This is a Myth that has resulted in non-compliance fines for many small merchants. If you are a merchant and are set up to take non-cash payments by any mechanism, you must be PCI compliant. Protect yourself. Contact us TODAY for a FREE compliance consultation.

Q: Doesn't PCI only apply to e-commerce companies?

A: No, PCI applies to every company that stores, processes or transmits cardholder information. In fact, anyone who takes card present transactions that involve POS devices are typically more at risk than e-commerce solutions. Quite often these types of transactions involve internal storage of track data on the POS device. This is strictly prohibited by PCI; and compromise of this type of data may bring heavy fines and requests for compensation from the banks involved.

Q: Don't I only have to be compliant with most of the criteria?

A: The pass mark for PCI is 100%, so if you fail even one of the criteria, you are not in compliance with PCI. The standard is not meant to be something to strive for; it is essentially a floor, a basis for further security measures. Failing to achieve even one of the requirements is failing to meet a basic standard for handling cardholder information. All companies that routinely handle this type of data should be aiming to exceed the standard. It's just good business.

Q: I only need to protect my credit card data, not ATM debit card related data, right?

A: No - both are required. Many debit cards are dual-purpose "signature debit," which can be used on both debit card and credit card networks. Debit cards are covered under PCI and must be protected in the same way as credit cards.

Q: Can't I just wait a little bit until my business grows?

A: NO. The PCI standard applies to all sizes of business and waiting could be costly. Should you be compromised and found non-compliant, the fines and the compensation requirements by the banks could be substantial.

Q: Can I just answer "yes" to all the criteria on the Self-Assessment Questionnaire?

A: The Self-Assessment Questionnaire is a mechanism for getting the information about the level of your compliance to your merchant bank or to Visa. The standard applies always. Just saying "yes" to the questions puts you at great risk. If a compromise took place and it was obvious that you were not and have never been compliant, the matter would be taken very seriously by VISA. You risk your whole business by answering "yes" to the questions when there is no factual basis for the answers. Contact customer service for FREE SAQ completion consultation.

Q: Can I wait until my bank asks me to be compliant?

A: You and you alone are responsible for making sure you are in compliance. Waiting until the bank asks you could be very costly indeed.

Q: If I didn't sign anything saying I would be compliant, do I still need to be?

A: YES – it's in your original paperwork. The PCI standard forms part of the operating regulations that are the rules under which merchants are allowed to operate merchant accounts. The regulations signed when you open an account at the bank state that the VISA regulations must be adhered to. Even if you have been in business for decades, PCI still applies if you store, process or transmit credit cards.

Q: As a merchant, aren't I entitled to store my customers' data?

A: Many merchants believe that they own the customer and have a right to store all the data about that customer in order to help their business. Not only is this incorrect regarding PCI, it may also be a violation of State and Federal legislation regarding privacy. The PCI regulations specifically forbid storing of any of the following:

  • • *Unencrypted credit card number
  • • CVV or CVV2
  • • Pin blocks
  • • PIN numbers
  • • Track 1 or 2 data
  • • Any of the above found in databases, log files, audit trails, backups, etc. at a merchant can result in serious consequences for the merchant, especially if a compromise has taken place.