Learn what it means to be a part of the Payment Card Industry
Q: What is PCI compliance?
A: PCI compliance is an annual security validation requirement for all organizations involved in handling, processing, or storage of cardholder data.
Q: Who does PCI compliance apply to?
A: PCI Compliance applies to all organizations involved in the handling, processing or storage of cardholder data.
Q: Where can I find more information about PCI DSS?
A: More information is available through the PCI SSC’s website which you can visit here: https://www.pcisecuritystandards.org/pci_security/
Q: How do I determine what requirements apply to my organization?
A: More information about PCI compliance is available by visiting the PCI’s website here: https://www.pcisecuritystandards.org/pci_security/ . It is important that you b speak with a PCI authorized security organization such as Protocol who can provide a more detailed assessment of your organization’s overall data security needs.
Q: Why is PCI compliance important?
A: By becoming PCI compliant, organizations create layers of security, making it more difficult for cybercriminals to take advantage of them. Merchants owe it to their customers and themselves to ensure safety of their data.
Q: How long has PCI DSS been around?
A: PCI DSS requirements have been in existence since 2006.
Q: How do I know if a data security organization is qualified to help my organization with PCI compliance?
A: PCI SSC maintains a database of organizations authorized to help organizations with PCI compliance such as Protocol.
Q: What happens if I choose to not comply with PCI DSS?
A: Failure to comply with PCI DSS may result in monthly fines from your acquiring bank but more important than that is the risk that an organization puts themselves and their customers in by failing to secure this sensitive data through noncompliance.
Q: What are merchant levels?
A: All merchants fall into one of four merchant levels based on the specific card brands based on the number of individual card transaction volume over a 12-month period.
Q: What do the terms SAQ, QSA, ISA mean?
A: Merchants validate compliance in one of two ways:
1. SAQ (Self Assessment Questionnaire) merchants that qualify for selfassessing their annual PCI compliance can use the specific SAQ that matches their credit card handling, processing and storage methods.
2. QSA/ISA (Qualified Security Assessor/ Internal Security Assessor) merchants that do not qualify for selfassessing PCI compliance are required to use a PCI certified QSA or a ISA (sponsored by the merchant organization seeking compliance).
Q: What is a QIR?
A: QIR stands for Qualified Integrators and Resellers. Basically, it is any company that has a professional with a QIR certification. A QIR verifies that your POS hardware and software is secure at each location you take a payment. This must be completed by January 31, 2017.
Q: What is the Visa small merchant security validation requirement mandate?
A: In an effort to mitigate small merchant data breaches and in addition to regular PCI compliance requirements, Visa is requiring that all level 4 merchants use only PCIQIR certified professionals for POS application and terminal installation and integration. This must be completed by January 31, 2017. Additional information on this mandate can be found on the following links:
Q: What is cardholder data and sensitive authentication data?
A: The PCI Security Standards Council (SSC) defines cardholder data as the full Primary Account Number (PAN) or the full PAN along with any of the following elements:
● Cardholder name
● Expiration date
● Service code
Sensitive Authentication Data includes full magnetic stripe data, CAV2, CVC2, CVV2,
Q: What is an AOC?
A: Each merchant is required to complete and sign an annual Attestation of Compliance (AOC) document as part of their PCI compliance
Q: How often do I need to validate PCI compliance?
A: PCI compliance is required on an annual running calendar year. For example, if I submit my PCI compliance in the month of June, I need to resubmit PCI compliance in June the following year. If changes are made to your network it is best to revisit PCI compliance based on the new environment changes to ensure the security of the environment.
Q: Do I have to use PCI compliant partners?
A: PCI SSC strongly suggests using PCI compliant thirdparty partners. Failure to use PCI compliant partners adds additional risk and requirements to become PCI compliance as well as potential fees and fines.
Q: What should I do if suspect my organization has been compromised?
A: If you suspect you have been compromised follow these steps:
1. Do not access or remove, turn off or restart the compromised system. Isolate the system from the rest of the network.
2. Disconnect all remote VPN connections into the network
3. Contact your acquirer as soon as possible to inform them of the potential compromise. Contact your PCI compliance provider as well.
4. Do not destroy or tamper with potential evidence. Hold on to all data drives systems and devices, do not dispose of anything that might be deemed evidence or part of a potential forensic investigation.