PCI Compliance FAQ

What is PCI Compliance?

All merchants processing, transmitting, or storing credit card data were required to comply with the new Payment Card Industry (PCI) Data Security Standard (DSS) by June 30, 2005. Compliance required is based on several criteria.

The Payment Card Industry highly recommends voluntary compliance for all merchants accepting credit cards online and failure to comply with these new security standards may result in substantial fines or permanent expulsion from card acceptance programs.

What are the Requirements for PCI Compliance?

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored cardholder data

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software

Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know

Requirement 8: Assign a unique ID to each person with computer access

Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data

Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security

Do I need to become compliant?

Any company that accepts, processes, or stores credit card information needs to comply with the standards set by the Payment Card Industry.

What kind of a scan needs to be performed?

Vulnerability Assessment Scans must be performed by Payment Card Industry Approved Scanning Vendors (ASV). The scan will be performed over all externally facing IP addresses that touch the credit card acceptance, transmission and storage process. Scans must be turned into the merchant bank on a quarterly basis.

How long does it take to become compliant?

The PCI compliance process can take anywhere from one day to two weeks. The amount of time it takes for a company to be considered PCI Compliant is dependent on the threats the PCI scan discovers and the amount of time it takes to complete the self assessment questionnaire.

How do I report compliance?

Both the passing PCI Scan and Annual Self Assessment Questionnaire should be turned into your merchant bank. Your merchant bank will then report back to the Payment Card Industry that your company is PCI Compliant.

What happens if I am not compliant?

Failure to comply with the Payment Card Industry security standards may result in heavy fines, restrictions or permanent expulsion from card acceptance programs.

What are my specific requirements for PCI Compliance?

The requirements for becoming Payment Card Industry (PCI) Compliant are dependent upon the merchant level that a company falls under. Merchants are divided into four different levels based on the number of transactions they process throughout a year.

Level 1 Criteria

Merchants with over 6 million transactions a year

Merchants whose data has been compromised

Level 1 Requirements

Annual Onsite Security Audit and quarterly network security scan

Level 2 Criteria

Merchants with 150,000 to 6 million transactions a year

Level 2 Requirements

Annual Self Assessment Questionnaire

Quarterly Scan by an Approved PCI Scanning Vendor

Level 3 Criteria

Merchants with 20,000 to 150,000 transactions a year

Level 3 Requirements

Quarterly Scan by an Approved PCI Scanning Vendor

Annual Self Assessment Questionnaire

Level 4 Criteria

Merchants with less than 20,000 transactions

Level 4 Requirements

No need to report compliance but must maintain compliance.

CLICK HERE TO LEARN HOW TO PROTECT YOUR BUSINESS & CUSTOMERS