PCI Compliance FAQ
Description
What's in this article?
Yes. The payment terminal or POS system is just one component in the card data environment. Even though it may be compliant and safe, if it is put into an environment that is not secure and safe, then there can still be a breach.
Yes. In fact, hackers will often target home users precisely because they don’t take protection seriously. Open broadband connections, Internet games, chat and file sharing applications all make the average home user more vulnerable to attack from the outside.
Yes. All businesses that store, process or transmit payment cardholder data must be PCI compliant.
If you accept credit or debit cards as a form of payment, then PCI compliance applies to you. The storage of card data is risky, so if you don’t store card data, then becoming secure and compliant may be easier.
Yes. Neither the short duration of your season, nor the small number or value of transactions you process per year has any effect on the requirement that you adhere to the PCI DSS.
In-scope cards include any debit, credit, and pre-paid cards branded with one of the five card association/brand logos that participate in the PCI SSC – American Express, Discover, JCB, MasterCard, and Visa International.
No. SSL certificates do not secure a web server from malicious attacks or intrusions. High assurance SSL certificates provide the first tier of customer security and reassurance, but there are other steps to achieve PCI compliance.
The PCI Security Standards Council (SSC) defines ‘cardholder data’ as the full Primary Account Number (PAN) or the full PAN along with any of the following elements:
- Cardholder name
- Expiration date
- Service code
- Sensitive Authentication Data, which must also be protected, includes full magnetic stripe data, CAV2, CVC2, CVV2, CID, PINs, PIN blocks and more
Yes. You are required to validate your PCI Compliance each year, even if nothing or very little has changed. The good news is that the PCI Portal makes it very easy for you to re-validate your compliance and if nothing has changed, then you won't have to go through the entire process again.
Your processing products may be compliant, but the product only addresses one or few elements of the PCI DSS Requirements. Your business setup and practices are part of PCI compliance.
Examples: Who has access to the data, physical security/tampering of the device, patching updates, firewall updates, anti-virus, employee security training, etc.
Even when outsourcing or using third-party providers for processing, storing or transmitting data, your business will be responsible for PCI compliance through your own business practices and also ensuring that providers are PCI compliant. Your service providers must also validate their compliance each year and should provide proof of their compliance to you.
PCI DSS compliance is required for any entity that accepts payment cards. PCI compliance is required whether you accept five card payments or five million card payments.
Completing a PCI assessment and performing scans are a “snapshot in time” and security efforts must be a continuous process to ensure safety of cardholder data. You will need to be vigilant everyday as security exploits are non-stop and get stronger every day. Changes to your systems, applications, network, password management, and personnel changes impact compliance.