PCI Compliance FAQs
Click any PCI Compliance question to jump to an answer
What is the Payment Card Industry (PCI) Data Security Standard?
What is the PCI DSS standard based on?
Why did the card schemes develop security standards?
What is the benefit of having a single standard?
What is the extent of cover?
What are the PCI DSS requirements?
Is the compliance validation fully aligned between Visa and MasterCard?
What are the penalties for non-compliance?
What assessments are required to be performed to prove compliance?
How do merchants demonstrate compliance to the card schemes?
How much does compliance cost?
What impact will PCI DSS have on the UK payments association, APACS?
Is the UK protocol Standard 70 compliant with PCI DSS?
Do card payments applications alone need to be PCI compliant?
What is the Payment Card Industry (PCI) Data Security Standard?
The Payment Card Industry (PCI), including Visa and MasterCard, Data Security Standard details security requirements for their members, merchants, and transaction processors that store, process or transmit cardholder data.
What is the PCI DSS standard based on?
The Payment Card Industry Data Security Standard (PCI) is a standard based on the Visa Account Information Security programme (AIS, and its sister programme CISP), MasterCard Site Data Protection programme (SDP), American Express Security Operating Policy (DSOP), Discover Information Security and Compliance (DISC), and JCB security standards.
Why did the card schemes develop security standards?
There is widespread concern within the payments industry about the security of cardholder data and the fraudulent use of compromised data. Through ensuring the integrity of the cardholder data the underlying drivers for the Card Schemes is to strengthen their brand reputation, reinforce cardholder confidence and reduce the potential threat to the overall cards industry.
What is the benefit of having a single standard?
Aligning different security programs under a single standard creates a commonly accepted set of industry tools and measurements as well as a single validation process to satisfy all card associations. This makes the validation process much less complex for the merchant.
What is the extent of cover?
Merchants’ need only validate their compliance once (at the determined frequency) to fulfil their obligation to all payment schemes. The PCI standard is being applied worldwide.
What are the PCI DSS requirements?
The PCI DSS standard has 12 requirements for compliance, under the summary headings:
- Build and Maintain a Secure Network
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain a policy that addresses information security
Is the compliance validation fully aligned between Visa and MasterCard?
Visa and MasterCard have aligned behind the PCI standard, merchant levels of compliance validation, PCI security audit and scan procedures and QSA’s. However each card scheme requires specific compliance validation reporting, enforcement procedures and fines. MasterCard and Visa individually issue compliance notices and each hold lists of approvals granted.
What are the penalties for non-compliance?
In the event of a security breach, penalties for non-compliance are imposed. We understand currently these to be in the order of:
- Fines at the rate of 5 euros per compromised account
- A breach fee in excess of 100,000 euros per incident
- Possible restrictions on the merchant
- Permanent prohibition of the merchant’s participation in Visa and MasterCard programs
- Beyond compliance, business risks relative to brand, customer loyalty and company valuation exist if the cardholder data is not securely managed
What assessments are required to be performed to prove compliance?
The PCI Data Security Standard establishes four levels based primarily on the volume of transactions processed annually irrespective of acceptance channel. The following provides selection criteria requirements by level:
- Level 1 merchants who process 6 million Visa or MasterCard¹ transactions annually or more, any merchant that has suffered a hack or an attack that resulted in an account data compromise, any merchant at the discretion of the card schemes determine should meet the level 1 requirements. The PCI DSS standard requires that a detailed onsite assessment takes place annually, plus quarterly network vulnerability scans.
- Level 2 and 3 merchants who process 20,000 to 6 million transactions a year, the PCI DSS standard requires an annual self-assessment questionnaire be completed with quarterly network vulnerability scans
- Level 4 merchants who process below 20,000 transactions, the PCI DSS standard is optional but highly recommends the completion of the annual self-assessment questionnaire.
How do merchants demonstrate compliance to the card schemes?
Where required onsite assessments and network vulnerability scans are performed by vendors appointed by the card schemes known as Qualified Security Assessor (QSA). The results are communicated to the card schemes’ and form the basis of any remediation required. Details are published on the card schemes’ websites.
How much does compliance cost?
The cost of certification will be dependent on the volume of card transactions. Typically compliance will pass a number of stages that may include a self-assessment questionnaire, on-site audit and security scans on the network infrastructure of the merchant. The cost of any remediation services is dependent on a pre-compliance review and/or on-site audit and therefore will be specific to individual merchants.
What impact will PCI DSS have on the UK payments association, APACS?
The Acquirers’ PoS Group (APG) is working with the schemes to assess the impact of PCI DSS on the UK industry. It has instructed the Standard 70 groups to investigate and report back before moving the whole process forward. APACS has proposed that PCI will be incorporated within the April 2006 release “or earlier as a ‘pre-release’”.
Is the UK protocol Standard 70 compliant with PCI DSS?
The APACS Standard 70 Maintenance Group has convened a Work Group to establish the impact of PCI DSS on Standard 70, primarily on the use of the card number and Track 2.
Whilst this group has reported back to the Acquirers’ PoS Group it’s findings in terms of data elements, there is still a lot of work required to fully assess the issues.
Do card payments applications alone need to be PCI compliant?
The PCI standard refers to all areas of data security. All applications, not merely EFT software, must be considered when assessing merchant compliance.
