PCI Compliance FAQ

February 5, 2025

Description

Frequently asked questions related to PCI compliance

What's in this article?

▼▶I use a payment terminal or POS system that is PA DSS compliant, do I still need to go through PCI DSS compliance?

Yes. The payment terminal or POS system is just one component in the card data environment. Even though it may be compliant and safe, if it is put into an environment that is not secure and safe, then there can still be a breach.

▼▶I run a home-based business. Am I really at serious risk of being hacked?

Yes. In fact, hackers will often target home users precisely because they don’t take protection seriously. Open broadband connections, Internet games, chat and file sharing applications all make the average home user more vulnerable to attack from the outside.

▼▶If I only accept credit cards over the phone, does PCI DSS still apply to me?

Yes. All businesses that store, process or transmit payment cardholder data must be PCI compliant.

▼▶My company doesn’t store credit card data so PCI compliance doesn’t apply to us, right?

If you accept credit or debit cards as a form of payment, then PCI compliance applies to you. The storage of card data is risky, so if you don’t store card data, then becoming secure and compliant may be easier.

▼▶I run a seasonal business that is only open for a month or two per year, do I still need to go through PCI DSS compliance?

Yes. Neither the short duration of your season, nor the small number or value of transactions you process per year has any effect on the requirement that you adhere to the PCI DSS.

▼▶Are debit card transactions in scope for PCI?

In-scope cards include any debit, credit, and pre-paid cards branded with one of the five card association/brand logos that participate in the PCI SSC – American Express, Discover, JCB, MasterCard, and Visa International.

▼▶Am I PCI compliant if I have an SSL certificate for my e-commerce business?

No. SSL certificates do not secure a web server from malicious attacks or intrusions. High assurance SSL certificates provide the first tier of customer security and reassurance, but there are other steps to achieve PCI compliance.

▼▶What is defined as ‘cardholder data’?

The PCI Security Standards Council (SSC) defines ‘cardholder data’ as the full Primary Account Number (PAN) or the full PAN along with any of the following elements:

Cardholder name
Expiration date
Service code
Sensitive Authentication Data, which must also be protected, includes full magnetic stripe data, CAV2, CVC2, CVV2, CID, PINs, PIN blocks and more

▼▶Nothing has changed since I last completed PCI Compliance, do I have to do it again?

Yes. You are required to validate your PCI Compliance each year, even if nothing or very little has changed. The good news is that the PCI Portal makes it very easy for you to re-validate your compliance and if nothing has changed, then you won't have to go through the entire process again.

▼▶Will the use of one product make my business totally compliant?

Your processing products may be compliant, but the product only addresses one or few elements of the PCI DSS Requirements. Your business setup and practices are part of PCI compliance.

Examples: Who has access to the data, physical security/tampering of the device, patching updates, firewall updates, anti-virus, employee security training, etc.

▼▶Will outsourcing our card processing make us compliant?

Even when outsourcing or using third-party providers for processing, storing or transmitting data, your business will be responsible for PCI compliance through your own business practices and also ensuring that providers are PCI compliant. Your service providers must also validate their compliance each year and should provide proof of their compliance to you.

▼▶My business does not take a lot of credit card payments. Do I still need to be PCI compliant?

PCI DSS compliance is required for any entity that accepts payment cards. PCI compliance is required whether you accept five card payments or five million card payments.

▼▶PCI DSS will make us secure, plus we completed a Self-Assessment Questionnaire so we are compliant. Is that correct?

Completing a PCI assessment and performing scans are a “snapshot in time” and security efforts must be a continuous process to ensure safety of cardholder data. You will need to be vigilant everyday as security exploits are non-stop and get stronger every day. Changes to your systems, applications, network, password management, and personnel changes impact compliance.