17 Oct 2013

FAQ of the Data Security Standards for the Payment Cards Industry (PCI-DDS)

All merchants and their service providers that store or transit payment card details are required to meet the process and systems standards set out by the Payments Cards Industry – an industry governance body administered by the major credit card vendors (Visa, MasterCard, American Express, Discover and JCB).

I thought I would succinctly answer some questions and address some common myths about PCI Compliance in a way that is most relevant to small and medium businesses. Here are the answers to some frequent questions our clients have regarding meeting their PCI Compliance requirements.

Q: To whom does PCI apply?

PCI applies to ALL organisations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data, electronically or physically. In other words, if any customer of that organisation ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.

Q: What does a small-to-medium sized business (Level 4 merchant) have to do in order to satisfy the PCI requirements?

  • Complete the Self-Assessment Questionnaire (SAQ) according to the instructions in the Self- Assessment Questionnaire Instructions and Guidelines.
  • Complete and obtain evidence of a passing Vulnerability Scan.  Note scanning does not apply to all merchants.  It is required for Validation Type 4 and 5 – those merchants with external facing IP addresses.  The SAQ will help a business determine if a Vulnerability Scan is required.
  • Complete the relevant Attestation of Compliance in its entirety (located in the SAQ tool).
  • Submit the SAQ, evidence of a passing scan (if applicable), and the Attestation of Compliance, along with any other requested documentation, to your banking provider or their compliance certifier.

Myth: I can wait until my bank asks me to be PCI compliant.

Fact: The dates for merchants to be PCI compliant have long past. Merchants are responsible for making sure they are PCI compliant. Waiting until the bank asks to demonstrate PCI compliance may result in penalties for non-compliance.

Ultimately the PCI DDS is in place to, over the long term, protect businesses from the potential financial loss, brand reputation damage, legal costs, higher insurance premiums and enterprise value decline resulting from payment card data being compromised whether that is via electronic or physical means.