Frequently Asked Questions
Payment Card Industry Data Security Standards (PCI DSS)
Do I have to comply with the Payment Card Industry Data Security Standard (PCI DSS)?
Yes. This is a mandatory compliance program instituted by Visa® and MasterCard® which requires all merchants who store, process or transmit cardholder data to adhere to certain data security standards. The Cardholder Information Security Program (CISP) and Site Data Protection Program (SDP) were the basis for PCI DSS. PCI DSS is supported by all major card brands in the industry. Each card brand continues to maintain its own compliance program and has the right to demand additional requirements and may assess fines for non-compliance.
What happens if I don’t comply with these standards?
If you do not comply with PCI DSS, you could face fines ranging from $2,000 to $500,000 per incident for each affected card type. You are liable for data compromises that occur at your place of business as well as any subsequent fraud transactions that occur at any other merchants’ location(s) where the subject compromised cards are used.
What is the difference between Compliance and Validation?
Compliance: Merchant abides by the new security standards. This applies to all levels.
Validation: This is a process that confirms the merchant is abiding by the new security standards.
What is a Data Compromise?
Incidents involving electronic or physical breach of cardholder data through the communication and/or information processing of the merchant/third party:
Electronic: Data vulnerability in transit and storage, attacks via web sites or servers, private key mismanagement, access related to user ID/password and administrative network performance problems.
Physical: Physical breach may include theft of documents or equipment (e.g., receipts, files, PC’s, POS Terminals, etc)
What does VISA and MasterCard define as "cardholder data"?
Cardholder data is any personally identifiable data associated with a cardholder. This could be an account number, expiration date, name, address, etc. The account number is the critical component that makes PCI DSS applicable. All personally identifiable information associated with the cardholder that is stored, processed, or transmitted is also considered cardholder data, however, PCI DSS applies even if the only data stored, processed, or transmitted is account numbers.
When is it acceptable to store magnetic stripe data?
It is never acceptable for Acquirers, merchants, or service providers to retain magnetic stripe data subsequent to transaction authorization. The Visa & MasterCard Operating Regulations prohibit storage of the contents of the magnetic stripe as a unit. The following individual data elements may be retained subsequent to transaction authorization: • Cardholder Account Number • Cardholder Name • Card Expiration Date.
When is it acceptable to store CVV2 & CVC?
It is never acceptable for Acquirers, merchants, or service providers to retain CVV2 and CVC2, which consists of the last three digits printed on the signature panel of all Visa and MasterCard cards, subsequent to transaction authorization. The Visa and MasterCard Operating Regulations prohibit such storage, whether encrypted or unencrypted.
Where can the Self-Assessment Questionnaire be found?
The Self-Assessment Questionnaire is available on www.visa.com/cisp. Many of the qualified security assessors offer merchants and service providers the option to complete the Questionnaire on the security assessor’s Web site.
What is a Network Security Scan?
A Network Security Scan involves an automated tool that checks a merchant or service provider’s systems for vulnerabilities. The tool will conduct a non-intrusive scan to remotely review networks and Web applications based on the external-facing Internet protocol (IP) addresses provided by the merchant or service provider. The scan will identify vulnerabilities in operating systems, services, and devices that could be used by hackers to target the company’s private network. As provided by qualified security assessors, the tool will not require the merchant or service provider to install any software on their systems, and no denial-of-service attacks will be performed.
Is the Network Security Scan only applicable to e-commerce entities?
No. The System Perimeter Scan is applicable to all merchants and service providers with external-facing IP addresses. Even if an entity does not offer Web-based transactions, there are other services that make systems Internet accessible. Basic functions such as e-mail and employee Internet access will result in the Internet-accessibility of a company’s network. These seemingly insignificant paths to and from the Internet can provide unprotected pathways into merchant and service provider systems if not properly controlled.
To whom do I provide compliance validation documentation (i.e. network scans, compliance assessment questionnaires, necessary progress updates, and/or other reports of compliance as applicable)?
Furnish all required information to your Acquirer/processor ("Acquirer"). The Acquirer will file your information with the applicable card brand. Acquirers’ reporting requirements vary with each card brand.
How is the transaction volume measured that determines a merchant’s compliance level?
The number of transactions will be determined based on the gross number of Visa transactions processed by a DBA of a chain of stores—not of a corporation that owns several chains. For all levels, If a merchant meets the compliance validation criteria based on Visa OR MasterCard transaction volume, they must comply with the PCI DSS requirements.
How is "IP-based POS environment" defined?
TThe POS environment is the environment in which a transaction takes place at a merchant location (i.e. retail store, restaurant, hotel property, gas station, supermarket, or other point-of-sale location). An IP-based POS environment is one in which transactions are stored, processed, or transmitted on IP-based systems, or systems communicating via TCP/IP.
Do merchants need to include their service providers in the scope of their PCI review?
Yes. To the extent the merchants’ service provider(s) interface with, provide software, store, process, or transmit cardholder data. |
