PCI DSS Compliance FAQ: What is PCI Compliance?

Your most common questions about the payment card industry data security standard, answered.

As you might expect, we get a lot of questions about PCI DSS Compliance. Here are the answers to your most frequently asked questions!

PCI DSS Frequently Asked Questions

PCI DSS Compliance can be a tricky topic for businesses to navigate. Here are the top frequently asked questions for those trying to become PCI compliant. 

Table of Contents

1. General PCI Questions
2. Logistic Questions 
3. PCI E-commerce Questions 
4. Mobile PCI Questions
5. Questions about Third-Parties
6. Preparing for a PCI Assessment
7. Failing an Assessment
8. Questions about Scoping
9. Data Storage Questions 
10. Payments Questions 
11. PCI 4.0.1 Questions 
12. PA-DSS Questions 
13. Vulnerability Scanning Questions 
14. Working with C-Suite Questions 
15. Data Breach Questions 
16. State Laws Questions 

General PCI Questions

What is PCI?

PCI stands for Payment Card Industry. It refers to the Payment Card Industry Security Standards Council (PCI SSC) and the set of security standards they have established to protect cardholder data and ensure secure payment card transactions. The PCI SSC is an organization formed by five major payment card brands: Visa, Mastercard, American Express, Discover, and JCB.

The standards set by this group of payment card brands is called the Payment Card Industry Data Security Standard (PCI DSS). Its purpose is to provide a framework for merchants, service providers, and organizations that handle cardholder data of any type to set up and maintain robust security measures. Compliance with the PCI DSS is required for entities involved in payment card processing to safeguard sensitive cardholder information, prevent data breaches, and maintain trust and confidence in the payment card industry.

What are the 12 requirements of PCI DSS?

No matter where you are in your PCI DSS compliance journey, it’s essential to have a reference sheet as you get headed in the right direction. Use this article as a “jumping off point” to address all the 12 requirements of the PCI DSS. To get started, let’s answer the most important question: what are the 12 requirements?

1. Install and Maintain Network Security Controls
2. Apply Secure Configurations to All System Components
3. Protect Stored Account Data
4. Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks
5. Protect All Systems and Networks from Malicious Software
6. Develop and Maintain Secure Systems and Software
7. Restrict Access to System Components and Cardholder Data by Business Need to Know
8. Identify Users and Authenticate Access to System Components
9. Restrict Physical Access to Cardholder Data
10. Log and Monitor All Access to System Components and Cardholder Data
11. Test the Security of Systems and Networks Regularly
12. Support Information Security with Organizational Policies and Programs

Before diving into the PCI requirements, you’ll also want to find which SAQ applies to your business. While most requirements will stay the same, there are some differences in the work you’ll need to do based on your SAQ.

Why do we have PCI compliance? 

PCI compliance keeps your customers’ sensitive information safe. Cyber attacks happen to unsuspecting organizations everyday. It’s crucial for businesses that handle credit card transactions to ensure the security of sensitive cardholder data and protect against potential data breaches. Here are the main reasons why organizations need PCI compliance:

• Protecting Cardholder Data: PCI compliance helps safeguard the confidentiality and integrity of cardholder data, including credit card numbers, expiration dates, and card verification codes. 
• Preventing Data Breaches: Compliance with PCI DSS helps businesses establish robust security controls and practices, reducing the likelihood of data breaches. 
• Meeting Industry Standards: PCI compliance is an industry-standard established by major payment card brands, including Visa, Mastercard, American Express, Discover, and JCB. Compliance demonstrates that businesses are taking the necessary steps to protect cardholder data, establishing trust with customers, payment processors, and other stakeholders.
• Legal Requirements: Many jurisdictions have enacted laws and regulations requiring businesses to maintain PCI compliance. Failing to comply with these requirements can result in legal consequences, penalties, fines, and potential liability for data breaches. 
• Building Customer Trust: Maintaining PCI compliance sends a strong message to customers that their payment card information is handled securely. By protecting customer data, businesses can enhance their reputation, build trust, and retain customer loyalty. 

Who is responsible for developing the PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is developed and maintained by the Payment Card Industry Security Standards Council (PCI SSC). The PCI SSC is an independent organization formed in 2006 by major payment card brands, including Visa, Mastercard, American Express, Discover, and JCB International.

Can a company outsource its PCI DSS compliance efforts?

Yes, a company can outsource its PCI DSS compliance efforts to a third-party service provider. Many organizations choose to work with Qualified Security Assessors (QSAs), Approved Scanning Vendors (ASVs), or Managed Security Service Providers (MSSPs) to help them with various aspects of PCI DSS compliance.

Where can I find the PCI Data Security Standard (PCI DSS)?

The PCI Data Security Standard (PCI DSS) can be found on the official website of the PCI Security Standards Council (PCI SSC): www.pcisecuritystandards.org.

What are the key steps for achieving and maintaining PCI DSS compliance?

Achieving and maintaining PCI DSS compliance involves several key steps. While the specific details may vary depending on your organization's size, industry, and cardholder data environment, the following steps provide a general framework:

• Understand the Requirements
• Assess Your Current State
• Develop a Remediation Plan
• Implement Security Controls
• Conduct Regular Vulnerability Scans
• Complete Self-Assessment Questionnaire (SAQ) 
• Validate and Submit Compliance Documentation
• Maintain Ongoing Compliance

Engaging with qualified professionals, such as QSAs or security consultants, can provide valuable guidance and assistance throughout the compliance journey.

Are all the PCI DSS requirements applicable to every organization?

No, not all PCI DSS requirements are applicable to every organization. The applicability of PCI DSS requirements depends on how an organization handles payment card transactions.

Who needs to comply with PCI DSS?

The PCI DSS (Payment Card Industry Data Security Standard) applies to any organization or entity that processes, stores, or transmits payment card data. This includes merchants, service providers, financial institutions, and any other entity involved in payment card processing.

Specifically, the PCI DSS applies to the following entities:

• Merchants: Any organization that accepts payment cards (credit cards, debit cards, prepaid cards) as a form of payment for goods or services.
• Service Providers: Third-party organizations that are involved in processing, transmitting, or storing cardholder data on behalf of merchants or other service providers. This includes payment gateways, hosting providers, and managed security service providers.
• Financial Institutions: Banks, credit card issuers, and other financial institutions that participate in payment card processing.

It's important to note that the PCI DSS requirements may vary depending on the size and volume of transactions of the organization. Merchants and service providers are typically categorized into different levels (1 to 4) based on their annual transaction volume. The level determines the specific requirements and validation processes they need to follow for PCI compliance.

How can I determine my PCI merchant level? / What are PCI compliance levels and how are they determined?

PCI compliance levels are determined based on the number of transactions processed by an organization annually. The PCI Security Standards Council (PCI SSC) has established four compliance levels, commonly referred to as "Merchant Levels," which help determine the validation requirements for compliance. Here's an overview of the PCI compliance levels:

• Level 1: This level applies to merchants who process over 6 million transactions per year across all payment channels or have experienced a data breach that compromised cardholder data. Level 1 merchants are subject to the most rigorous validation requirements, including an annual on-site assessment by a Qualified Security Assessor (QSA) and submission of a Report on Compliance (ROC).
• Level 2: Merchants that process between 1 million and 6 million transactions per year fall under Level 2. They are required to complete an annual self-assessment questionnaire (SAQ) and conduct quarterly network scans by an Approved Scanning Vendor (ASV).
• Level 3: This level includes merchants with an annual transaction volume between 20,000 and 1 million. Similar to Level 2, Level 3 merchants must complete an annual SAQ and perform quarterly ASV scans.
• Level 4: Level 4 applies to merchants with fewer than 20,000 e-commerce transactions annually or those with less than 1 million transactions across all channels. Level 4 merchants are also required to complete an annual SAQ and conduct quarterly ASV scans, although they may be eligible for a reduced version of the SAQ.

It is important for organizations to accurately assess their transaction volumes to determine their appropriate compliance level and fulfill the validation requirements accordingly. Merchants are responsible for self-assessing their compliance level and maintaining compliance with the PCI DSS based on their determined level.

How often do I need to validate PCI DSS compliance?

The frequency of validating PCI DSS compliance depends on your business's specific requirements and circumstances. Here are some general guidelines:

• Annual Validation: All businesses, regardless of their size or merchant level, are required to validate their PCI DSS compliance annually. This involves completing the necessary Self-Assessment Questionnaire (SAQ) or undergoing a formal compliance assessment by a Qualified Security Assessor (QSA), depending on your merchant level.
• Ongoing Compliance: Compliance with PCI DSS is not a one-time event but an ongoing process. It's crucial to maintain security controls, monitor systems, and address any vulnerabilities or changes that may impact compliance throughout the year.
• Quarterly Scans: If your business handles cardholder data or has an external-facing network, you are typically required to conduct quarterly vulnerability scans by an Approved Scanning Vendor (ASV). These scans help identify and address security vulnerabilities.
• Network Segmentation Reviews: If you have implemented network segmentation to isolate cardholder data from other systems, it is recommended to review and validate the effectiveness of network segmentation at least annually.
• Change Management: Any changes to your environment, such as network infrastructure, systems, or processes that impact the security of cardholder data, should be evaluated for compliance. This includes regular reviews of system configurations, access controls, and security patches.

It's important to note that compliance requirements may vary based on your merchant level, payment processing methods, and other factors. It's best to consult with a Qualified Security Assessor (QSA) or your payment processor to determine the specific validation requirements for your business. As your business grows, so do your compliance and security needs.

How long does it take to become PCI DSS compliant?

The time it takes to become PCI DSS compliant can vary depending on several factors, including the complexity of your cardholder data environment, the size of your organization, the current state of your security controls, and the resources dedicated to the compliance process. 

For some small businesses with relatively simple payment processing environments and limited resources, achieving compliance may take several months. This timeframe typically involves assessing your current security posture, identifying gaps in compliance, implementing necessary security controls and procedures, and conducting any required vulnerability scans and assessments. It may also involve engaging with Qualified Security Assessors (QSAs) or other security professionals for guidance and validation.

For larger organizations or those with more complex cardholder data environments, achieving compliance may take longer. It may require more extensive security assessments, remediation efforts, and coordination among different departments or business units.

It is important to note that achieving PCI DSS compliance is not a one-time event but an ongoing process. Compliance requires maintaining and continuously monitoring security controls, conducting regular vulnerability scans, and addressing any identified vulnerabilities or weaknesses.

The key to a timely compliance journey is to start early, allocate sufficient resources, and maintain a proactive approach towards security. Engaging with experienced professionals, such as QSAs or security consultants, can provide guidance and help streamline the compliance process. If you want to know more about what PCI data was discovered this year, check out this blog. 

Do I need to hire a Qualified Security Assessor (QSA) for PCI DSS compliance?

The need to hire a Qualified Security Assessor (QSA) for PCI DSS compliance depends on the specific requirements of your business. Here are some questions to ask yourself: 

• What is my merchant or service provider level?
• How complex is my data environment?
• How confident am I in my Internal Resources?
• Has my acquiring bank or payment processor required me to have an assessment?

Engaging a QSA can provide several benefits, including expert guidance, independent validation, and assurance of compliance. They can help ensure a thorough assessment of your security controls, identify vulnerabilities, and provide recommendations for improving your overall security posture. Consulting with a QSA or your payment processor can help you determine the best approach for achieving PCI DSS compliance.

What is considered ‘cardholder data’?

Cardholder data refers to any personally identifiable information (PII) or sensitive authentication data (SAD) that is associated with a payment card. It includes the following elements:

• Primary Account Number (PAN): The unique card number embossed or encoded on the payment card.
• Cardholder Name: The name of the cardholder as it appears on the payment card.
• Expiration Date: The date printed on the payment card indicating when the card expires.
• Service Code: A three-digit or four-digit code on the magnetic stripe of the payment card that provides additional information and authorization requirements.

It's important to note that any of the above data elements, when combined with the cardholder's sensitive authentication data, such as the full magnetic stripe data or the card verification code (CVV/CVC/CID), is considered more sensitive and requires additional security controls to protect it.

What is the definition of merchant?

In the context of payment card industry (PCI) terminology, a merchant refers to any entity that accepts payment cards as a form of payment for goods or services. A merchant can be an individual, a business, or an organization. Merchants typically enter into agreements with payment card brands (such as Visa, Mastercard, American Express, Discover) and acquire services from payment processors or acquiring banks to facilitate card transactions.

What constitutes a Service Provider?

A service provider is an entity that provides services to merchants or other businesses that are related to the processing, storage, or transmission of payment card data. Service providers play a crucial role in the payment card ecosystem by offering various services, such as payment processing, data hosting, managed security services, software development, or customer support.

Service providers are required to adhere to the Payment Card Industry Data Security Standard (PCI DSS) to ensure the security of cardholder data they handle on behalf of their clients. They must undergo a separate validation process, known as a Service Provider Attestation of Compliance (SP-ROC) or Service Provider Report on Compliance (SP-ROC), to demonstrate their compliance with the applicable PCI DSS requirements.

What is a Self-Assessment Questionnaire (SAQ), and which one should I complete?

A Self-Assessment Questionnaire (SAQ) is a validation tool provided by the Payment Card Industry Security Standards Council (PCI SSC) to help merchants and service providers assess their compliance with the PCI Data Security Standard (PCI DSS). The SAQ consists of a series of questions that evaluate an organization's security practices and controls related to cardholder data.

There are multiple versions of the SAQ, each tailored to specific types of businesses and payment processing methods. The appropriate SAQ to complete depends on the nature of your business, how you handle cardholder data, and other factors. Here is a brief overview of the different SAQ types:

• SAQ A: For merchants using card-not-present (e-commerce) payment channels, who outsource all cardholder data functions to PCI DSS compliant third-party service providers.
• SAQ A-EP: For e-commerce merchants using a website payment application that is provided and hosted by a PCI DSS compliant third-party service provider, but who have some control over the payment page.
• SAQ B: For merchants using standalone, dial-out terminal devices (no electronic cardholder data storage) only.
• SAQ B-IP: For merchants using standalone, PTS-approved payment terminals with an IP connection to the payment processor (no electronic cardholder data storage).
• SAQ C: For merchants with payment application systems connected to the internet, but who do not store cardholder data.
• SAQ C-VT: For merchants who process cardholder data via virtual terminals, accessing a secure website.
• SAQ P2PE: For merchants using only hardware payment terminals included in a validated and PCI SSC-listed point-to-point encryption (P2PE) solution.
• SAQ D (Merchant): For merchants who do not fit into the above categories and handle cardholder data either electronically or via paper-based processes.
• SAQ D (Service Provider): for service providers that handle or manages another organization's processes for card data handling, manages security in the cardholder data environment (CDE), or ecommerce website or data.
• SAQ SPoC: To be eligible to use the SAQ SPoC to validate merchant compliance, the following statements must be true for your payment environment:
  
  • All payment processing is only via a card-present payment channel. 
  • All cardholder data entry is via a Secure Card Reader PIN (SCRP) that is part of a validated SPoC solution approved and listed by PCI SSC (Payment Card Industry Security Standards Council).
  • The only systems in the merchant’s SPoC environment that store, process, or transmit account data are those used as part of the validated SPoC solution approved and listed by PCI SSC.
  • The merchant does not otherwise receive, transmit, or store account data electronically.
  • This payment channel is not connected to any other systems/networks within the merchant environment.
  • Any account data the merchant might retain is on paper (for example, printed reports or receipts), and these documents are not received electronically.
  • The merchant has implemented all controls in the SPoC user guide provided by the SPoC Solution Provider.

To determine which SAQ you should complete, you need to evaluate your payment processing methods, cardholder data environment, and the specific requirements outlined in each SAQ. Consult with your payment processor or acquiring bank to ensure you select the appropriate SAQ for your business.

What is a Report on Compliance (ROC)? 

A Report on Compliance (ROC) is a document that provides detailed information about an organization's compliance with the Payment Card Industry Data Security Standard (PCI DSS).

The ROC includes an evaluation of the organization's security controls, policies, and procedures related to the protection of cardholder data. It covers all 12 PCI DSS requirements and includes evidence of compliance, such as documentation, test results, and security assessments.

How many different types of SAQs are there?

There are ten different types of Self-Assessment Questionnaires (SAQs). The ten SAQ types are as follows:

• SAQ A: For merchants using card-not-present (e-commerce) payment channels, who outsource all cardholder data functions to PCI DSS compliant third-party service providers.
• SAQ A-EP: For e-commerce merchants using a website payment application that is provided and hosted by a PCI DSS compliant third-party service provider, but who have some control over the payment page.
• SAQ B: For merchants using standalone, dial-out terminal devices (no electronic cardholder data storage) only.
• SAQ B-IP: For merchants using standalone, PTS-approved payment terminals with an IP connection to the payment processor (no electronic cardholder data storage).
• SAQ C-VT: For merchants who process cardholder data via virtual terminals, accessing a secure website.
• SAQ C: For merchants with payment application systems connected to the internet, but who do not store cardholder data.
• SAQ P2PE: For merchants using only hardware payment terminals included in a validated and PCI SSC-listed point-to-point encryption (P2PE) solution.
• SAQ D for Merchants: For merchants who do not fit into the above categories and handle cardholder data either electronically or via paper-based processes.
• SAQ D for Service Providers: For service providers deemed eligible to complete an SAQ.
• SAQ SPoC: For merchants who have implemented all controls in the SPoC user guide provided by the SPoC Solution Provider.

Logistic Questions

How Much Does a PCI Assessment Cost?

The cost of a PCI assessment can vary significantly depending on various factors. For organizations that outsource most of their operations and have a relatively simple environment, the cost may range from around $16,000 to $18,000. However, for more complex audits involving multiple locations, intricate processes, and numerous parties to interview, the cost can increase to tens or even hundreds of thousands of dollars.

Even a short call with a PCI expert at SecurityMetrics can give you a more accurate estimate of what a PCI assessment would cost you.

What Happens if I’m PCI Compliant and a New Standard is Released?

If a new version of the PCI DSS (Payment Card Industry Data Security Standard) is released while you are already PCI compliant with the current version, you will not be immediately required to comply with the new standard. The PCI Security Standards Council typically provides a transition period to allow organizations to adapt to the changes.

During this transition period, you can continue to maintain your compliance with the current version of the standard until the specified deadline. The PCI Security Standards Council usually sets a date by which organizations must transition to the new version of the standard. This allows organizations time to understand and implement any new requirements or changes introduced in the updated standard.

It’s important to stay informed about upcoming changes to the PCI DSS by regularly checking the PCI Security Standards Council's website and official communications. They provide guidance and resources to help organizations understand and prepare for the transition to the new version of the standard.

When a new standard is released, review the changes and assess their impact on your organization's cardholder data environment and compliance efforts. You may need to adjust your security controls, policies, and procedures to align with the new requirements. Consulting with a Qualified Security Assessor (QSA) can also be beneficial to ensure a smooth transition and ongoing compliance with the updated standard.

Remember, maintaining PCI compliance is an ongoing process, and staying up to date with the latest standards and requirements is crucial to protect cardholder data and maintain a secure payment environment.

How much time does a PCI audit take?

Engaging a third-party Qualified Security Assessor (QSA) indicates that your organization may have a more complex environment or a higher volume of transactions, which can increase the scope and duration of the PCI audit process.

For organizations undergoing their first PCI audit, the timeline can range from three months to a year, depending on how prepared they are. It often takes this long because of the need for a thorough discovery process and the adjustments required to align your environment with the PCI requirements.

However, there are instances where customers have pressing deadlines and are willing to put in the necessary effort and preparation. In such cases, they may be able to complete the audit process within a shorter time frame, potentially around three months.

It’s important to note that the duration of the PCI audit process can vary depending on the specific circumstances of each organization, including the complexity of their environment, the level of readiness, and the resources dedicated to the preparation. Working closely with a QSA can help streamline the process and ensure a smooth and efficient audit experience.

Can I Self-Assess for PCI Compliance?

Yes, you can self-assess for PCI compliance, provided that your organization meets the eligibility criteria for self-assessment. 

When it comes to determining whether or not you can self-assess, there are primarily two types of entities: merchants and service providers. As a service provider, you can choose to self-assess as long as you’re not a level 1 service provider (see above for level breakdown). As a merchant, you can self-assess if you’re doing fewer than 1 million transactions per year. 

The PCI DSS provides Self-Assessment Questionnaires (SAQs) designed for merchants and service providers to evaluate their compliance with the standard. There are different SAQ types available, each tailored to specific payment environments and levels of validation. 

However, it's important to note that not all organizations are eligible for self-assessment. The PCI DSS requires certain criteria to be met, such as transaction volume, network segmentation, and adherence to specific security controls. If you meet the criteria for self-assessment, you can use the appropriate SAQ and follow the guidelines provided to assess your compliance.

If I Have the Right Payment Processing Solution, Does That Make Me PCI Compliant?

Having the right payment processing solution alone does not automatically make you PCI compliant. Using a secure payment processing solution can greatly simplify your PCI compliance efforts, but it’s just one aspect of meeting the requirements of the Payment Card Industry Data Security Standard (PCI DSS).

PCI compliance encompasses a comprehensive set of security standards and practices designed to protect cardholder data and maintain a secure payment environment. It involves various technical and operational requirements that must be met by merchants and service providers who handle payment card data.

Am I PCI compliant if I have an SSL certificate?

No, having an SSL certificate alone does not make you PCI compliant. While SSL (Secure Sockets Layer) certificates are used to encrypt data in transit and provide a secure connection between a website and its visitors, PCI compliance involves a broader set of security requirements.

My business has multiple locations, is each location required to validate PCI compliance?

The requirement for each location to validate PCI compliance depends on the specific circumstances and setup of your business. Generally, if each location processes, stores, or transmits cardholder data independently, then each location may be required to validate its own PCI compliance.

The PCI DSS applies to any entity that handles cardholder data, and compliance validation is typically based on the scope of that data handling. If each location has its own separate network, processes transactions independently, and stores cardholder data locally, then each location may need to undergo its own PCI compliance assessment.

However, if the locations are connected to a centralized system or network where cardholder data is consolidated or transmitted, the validation requirements may be different. In such cases, the scope of compliance may be assessed based on the central system or network, rather than individual locations.

It's important to consult with Qualified Security Assessors (QSAs), or a qualified PCI DSS professional to determine the specific compliance requirements for your business's multi-location setup. They can provide guidance on scoping, assessment procedures, and the appropriate validation approach for each location based on the specific circumstances of your organization.

What does a small-to-medium sized business (Level 4 merchant) have to do in order to satisfy the PCI DSS requirements?

As a small-to-medium-sized business (Level 4 merchant), you are required to comply with the PCI DSS (Payment Card Industry Data Security Standard) to protect cardholder data and maintain a secure payment environment. Here are the key steps you need to take to satisfy the PCI DSS requirements:

• Determine your compliance validation requirements
• Complete the appropriate SAQ
• Perform quarterly vulnerability scans
• Maintain secure systems and networks
• Document policies and procedures
• Train employees
• Engage with third-party service providers
• Complete the Attestation of Compliance (AOC)

Remember, PCI compliance is an ongoing process, not a one-time event. Regularly assess and validate your compliance, monitor your systems for vulnerabilities, and implement necessary security controls to maintain a secure environment for handling payment card data.

PCI E-commerce Questions 

We only do e-commerce. Which SAQ should we use?

If your business solely engages in e-commerce and does not store, process, or transmit cardholder data on your own systems, you may be eligible to use the Self-Assessment Questionnaire (SAQ) A. SAQ A is specifically designed for e-commerce merchants who outsource all cardholder data functions to validated third-party service providers.

If I’m running a business from my home, am I a serious target for hackers?

The level of risk your home-based business faces from hackers depends on several factors, including the nature of your business, the type of data you handle, your online presence, and the security measures you have in place. While home-based businesses may not be as high-profile targets as large enterprises, they are not immune to cyber threats. Here are some considerations:

• Data Sensitivity: If your home-based business deals with sensitive customer information, financial data, or personal identifiers (such as Social Security numbers), you may be a target for hackers seeking to steal this valuable data.
• Online Presence: Even small businesses with an online presence, such as a website or social media accounts, can attract cybercriminals looking for vulnerabilities to exploit.
• Lack of Resources: Hackers may view home-based businesses as potential targets because they may have fewer resources dedicated to cybersecurity compared to larger companies.
• Ransomware Attacks: Ransomware attacks, where hackers encrypt data and demand a ransom for its release, can target businesses of any size, including home-based ones.
• Opportunistic Attacks: Some cyberattacks are opportunistic, targeting vulnerable systems regardless of the size of the business.

To reduce the risk of cyber threats and protect your home-based business, consider the following security measures:

• Secure Networks: Use strong passwords for Wi-Fi and router access, and enable WPA2 or WPA3 encryption on your wireless network.
• Regular Updates: Keep your computer's operating system, software, and antivirus up to date to patch vulnerabilities.
• Backup Data: Regularly backup important business data to an external drive or cloud storage to prevent data loss in case of an attack.
• Use Security Software: Install reputable antivirus and anti-malware software to detect and prevent cyber threats.
• Secure Payment Processing: If you process payments online, use secure payment gateways that comply with PCI DSS (Payment Card Industry Data Security Standard).
• Employee Awareness (if applicable): Educate yourself and any employees about phishing scams, social engineering, and other common cyber threats.
• Limit Access: Restrict access to sensitive data to only authorized personnel, and consider using multi-factor authentication for added security.

While no business is completely immune to cyber threats, taking proactive steps to secure your home-based business can significantly reduce the risk of falling victim to cyberattacks. Being vigilant and maintaining good cybersecurity practices is essential to protect your business and customer data.

Mobile PCI Questions

If I only accept credit cards over the phone, does PCI DSS still apply to me?

Yes, PCI DSS still applies to businesses that accept credit cards over the phone, even if it is their only method of accepting payments. 

When accepting credit cards over the phone, you are considered a "card-not-present" merchant. This means that you are collecting cardholder data without physically seeing the payment card, which presents unique security challenges. The PCI DSS applies to all entities that store, process, or transmit cardholder data, regardless of the channel through which the transactions occur.

How does taking credit cards by phone work with PCI?

Taking credit cards by phone can pose security risks and compliance obligations under the Payment Card Industry Data Security Standard (PCI DSS). To handle credit card information securely and maintain PCI compliance, here are some key considerations:

• Limit Data Collection: Only collect the necessary cardholder data required for the transaction. Avoid recording sensitive information such as the card's CVV/CVC (Card Verification Value/Code) or storing full card details.
• Secure Communication: Ensure that the phone conversation is conducted in a private and secure environment to prevent unauthorized individuals from overhearing or intercepting the card details. Use a dedicated, private line for credit card transactions.
• Don't Store Card Data: Avoid recording credit card details during the call or storing them in any form (electronic or paper). Once the transaction is completed, securely dispose of any written card information or delete any digital records.
• Implement Strong Authentication: Verify the identity of the cardholder through appropriate authentication measures. Ask for relevant information, such as the cardholder's name, billing address, and card expiration date, to validate the transaction.
• Secure Network Infrastructure: Ensure that the phone systems, networks, and associated infrastructure are properly secured and protected against unauthorized access or tampering. Implement firewalls, encryption, and other security controls to safeguard the communication channels.
• Train Employees: Provide comprehensive training to employees who handle credit card transactions over the phone. Educate them about PCI requirements, security best practices, and the importance of safeguarding cardholder data. Emphasize the need for confidentiality and secure handling of customer information.

By adhering to these practices, you can help protect cardholder data and reduce the risk of unauthorized access or data breaches. It’s essential to understand the specific PCI requirements that apply to your business and consult with a PCI compliance expert or Qualified Security Assessor (QSA) to ensure full compliance with the PCI DSS.

Questions about third-parties 

Do organizations using third-party processors have to be PCI DSS compliant?

Yes, organizations using third-party processors still have the responsibility to be PCI DSS compliant. Using a third-party processor can help offload some of the responsibilities and security measures related to cardholder data while reducing your scope since you are not directly handling cardholder data. However, it does not make organizations exempt from PCI DSS compliance.

It’s also best practice to make sure that the third party organization you are using is PCI compliant. 

Preparing for a PCI Assessment Questions

How Can I Get Ready for a PCI Assessment?

Preparing for a PCI Assessment is no small task. The biggest challenge is that most businesses don’t have the staff available to focus their efforts on a PCI assessment. You may need to hire additional staff or outsource some additional help. 

Here are some ways you can prepare for a PCI assessment: 

• Understand the Requirements: Familiarize yourself with the PCI Data Security Standard (PCI DSS) and the specific requirements applicable to your organization. Read the PCI DSS documentation and guidelines to gain a thorough understanding of what is expected.
• Scope Your Environment: Determine the scope of your cardholder data environment (CDE) and identify all systems, networks, and processes that handle cardholder data. Clearly define the boundaries of your CDE to ensure accurate assessment and compliance.
• Conduct a Gap Analysis: Perform a comprehensive gap analysis to identify any areas where your current security controls and practices fall short of the PCI DSS requirements. This analysis will help you identify vulnerabilities and areas for improvement.
• Implement Security Controls: Based on the results of the gap analysis, implement necessary security controls to address any identified deficiencies. This may involve implementing firewalls, encryption, access controls, network segmentation, and other security measures.
• Document Policies and Procedures: Develop and document your organization's policies and procedures for maintaining PCI DSS compliance. These should cover areas such as data protection, access management, incident response, and security awareness training.
• Train Employees: Ensure that all employees are trained on the importance of PCI compliance and understand their roles and responsibilities in maintaining security. Provide regular training sessions and awareness programs to keep everyone informed and up to date.
• Conduct Regular Security Testing: Perform regular vulnerability scans and penetration tests to identify any vulnerabilities or weaknesses in your systems. Address any issues promptly and document remediation actions taken.
• Maintain Logs: Maintain thorough logs and audit trails of all relevant activities and individuals within your environment. This will assist in monitoring and detecting any unauthorized access or suspicious activities.
• Engage with Qualified Security Assessors (QSA): If required, engage with a Qualified Security Assessor (QSA) to conduct an independent assessment of your compliance. QSAs are certified professionals who can validate your compliance with the PCI DSS and provide guidance on areas of improvement.
• Prepare Documentation: Ensure all required documentation, including policies, procedures, audit trails, and assessment reports, are properly organized and readily available for the assessment.
• Schedule the Assessment: Coordinate with your chosen assessor to schedule the assessment. Provide them with all necessary information and access to your systems to conduct the assessment effectively.
• Address Assessment Findings: After the assessment, review the findings and recommendations provided by the assessor. Address any identified issues promptly and implement necessary remediation measures.

How can I increase my likelihood of passing my PCI audit?

To successfully pass your audit, it is crucial to fulfill the requirements outlined in 11.2 and 11.3 of the PCI DSS. These requirements pertain to conducting regular vulnerability scans and ensuring compliance with the scan results. To meet the compliance requirements, you are typically expected to have four quarterly scans, each meeting the necessary compliance criteria.

The purpose of the audit is to assist you in consistently achieving passing scans on a quarterly basis. To attain this, it is essential to engage an approved scanning vendor (ASV) to conduct your vulnerability scans. In the event that a scan does not meet the compliance requirements, it is important to address any identified issues promptly and take necessary corrective actions to resolve them.

By prioritizing the completion of these requirements and promptly addressing any scan failures, you increase the likelihood of obtaining passing scans and successfully meeting the PCI compliance standards.

Failing an assessment Questions

What Happens if I Don’t Pass My Audit?

If you don't pass your PCI audit, it means that your organization has not met the requirements of the PCI Data Security Standard (PCI DSS) as assessed by the Qualified Security Assessor (QSA) or internal auditor. The consequences of not passing your audit can vary depending on several factors, including the severity of the non-compliance and the policies of the card brands and acquiring banks. Here are some potential outcomes:

• Non-Compliance Fees
• Remediation Actions
• Increased Risk
• Loss of Privileges
• Additional Audits and Assessments
• Reputational Damage

Take non-compliance seriously and promptly address any issues identified in the audit. By rectifying non-compliant areas, implementing necessary security controls, and demonstrating ongoing commitment to PCI DSS compliance, you can work towards resolving the situation and ensuring a secure payment environment. Engaging with a PCI compliance professional or a Qualified Security Assessor (QSA) can provide guidance and support in achieving and maintaining PCI compliance.

What are the penalties for non-compliance?

The penalties for non-compliance with PCI DSS can vary depending on the circumstances and the card brands involved. Here are some potential consequences of non-compliance:

• Fines: The card brands, such as Visa, Mastercard, American Express, and others, may impose fines on businesses that fail to comply with PCI DSS requirements. These fines can vary in amount based on the severity of the non-compliance and the number of previous violations.
• Increased Transaction Fees: Non-compliant businesses may face higher transaction fees imposed by the acquiring bank or payment processor. These fees are meant to cover the additional risk associated with processing payments from non-compliant merchants.
• Loss of Reputation: Non-compliance with PCI DSS can lead to negative publicity and damage to your brand's reputation. Customers may lose trust in your ability to protect their sensitive cardholder data, resulting in a loss of business and customer loyalty.
• Legal Consequences: In some cases, non-compliance can result in legal action, especially if a data breach occurs and customer data is compromised. This can lead to lawsuits, government investigations, and potential financial liabilities.
• Remediation Costs: If your business is found to be non-compliant, you will need to invest time and resources to address the issues to become compliant. This may involve conducting audits, implementing additional security measures, and potentially undergoing a reassessment by a Qualified Security Assessor (QSA).

It's important to note that the specific penalties and consequences for non-compliance may vary depending on the contractual agreements between your business and the card brands, as well as any applicable laws and regulations in your jurisdiction. To mitigate these risks, it is crucial to maintain ongoing PCI compliance and implement the necessary security controls to protect cardholder data. Regular assessments, security updates, and adherence to best practices are essential to avoiding penalties and maintaining a secure payment environment with happy customers or clients.

Scoping Questions

What is in scope for PCI Compliance?

The scope of PCI compliance refers to the systems, processes, and people within your organization that are involved in the storage, processing, or transmission of cardholder data (CHD) or sensitive authentication data (SAD). The scope can vary depending on your specific cardholder data environment (CDE) and the types of payment channels you utilize.

Generally, the following components are typically considered in scope for PCI compliance:

• Network Segments: Any networks or network segments that store, process, or transmit cardholder data fall within the scope. This includes your internal network, external-facing networks, wireless networks, and any connections between them.
• Systems and Applications: Any systems, applications, databases, or software that handle or store cardholder data are in scope. This includes point-of-sale (POS) systems, e-commerce platforms, payment gateways, databases, and other relevant systems.
• Physical Infrastructure: Physical devices and facilities that house or process cardholder data, such as servers, storage devices, payment terminals, and data centers, are considered in scope.
• People and Processes: Individuals who have access to cardholder data or are involved in the handling, processing, or transmission of such data fall within the scope. This includes employees, contractors, and third-party service providers who interact with cardholder data.

It's important to note that achieving PCI compliance requires implementing security controls and adhering to the PCI Data Security Standard (PCI DSS) across all elements within the scope. This involves maintaining secure network configurations, implementing strong access controls, conducting regular vulnerability assessments, and following appropriate encryption and security practices.

To determine the specific scope for your organization, conduct a comprehensive scoping exercise, it may involve consulting with a Qualified Security Assessor (QSA) or a PCI compliance professional. They can help assess your environment, identify the systems and processes involved in cardholder data handling, and ensure that your compliance efforts are appropriately targeted and focused.

Are debit card transactions in scope for PCI?

Yes, debit card transactions are generally in scope for PCI compliance. The Payment Card Industry Data Security Standard (PCI DSS) applies to all entities that store, process, or transmit cardholder data, which includes both credit and debit card data. Debit cards are considered payment cards and fall under the same security requirements as credit cards.

Why Should I Reduce My PCI Scope?

Reducing your PCI scope is important for several reasons:

• Enhanced Security: By minimizing the number of systems, processes, and people that come in contact with sensitive cardholder data, you reduce the potential attack surface and vulnerabilities within your organization. It improves security and lowers the risk of data breaches and fraudulent activities.
• Cost Savings: PCI compliance can be resource-intensive and costly. By reducing your PCI scope, you decrease the number of systems and processes that need to be audited and maintained, resulting in reduced compliance costs, such as annual assessments, security controls, and ongoing monitoring.
• Simplified Compliance: With a smaller scope, achieving and maintaining PCI compliance becomes more manageable. It allows you to focus your efforts and resources on a specific subset of your environment, making it easier to implement and monitor security controls, conduct vulnerability assessments, and address any compliance gaps.

Overall, reducing your PCI scope is a proactive approach to safeguarding sensitive cardholder data, improving security, reducing costs, and simplifying compliance efforts.

How Does P2PE Affect What I Need to Do for PCI Compliance?

P2PE (Point-to-Point Encryption) can significantly impact your PCI compliance requirements by reducing the scope of your cardholder data environment, simplifying the compliance process, and reducing cost. 

P2PE solutions encrypt cardholder data at the point of capture and maintain its encryption throughout the entire transaction process until it reaches the secure decryption environment.

If you implement a validated P2PE solution and properly configure and maintain it, your cardholder data environment (CDE) will be significantly reduced, potentially limiting your compliance obligations to only a few requirements of the PCI DSS. This can simplify your compliance efforts, as you'll have fewer controls to implement and validate.

However, it's important to note that while P2PE can streamline compliance, it does not eliminate it entirely. You will still need to comply with certain requirements such as physical security, employee training, and monitoring of the P2PE solution. Additionally, you must ensure that your P2PE solution is listed on the PCI Security Standards Council's official list of validated solutions.

It is recommended to consult with a Qualified Security Assessor (QSA) or a P2PE Qualified Security Assessor (P2PE QSA) to understand the specific requirements and validation process for implementing P2PE and achieving PCI compliance in your particular environment.

Data Storage Questions

Is Storing Tokens the Same as Storing Credit Card Data?

No, storing tokens is not the same as storing credit card data. When you store credit card data, you are keeping the actual sensitive payment information, such as the card number, expiration date, and cardholder name. This poses a security risk because if the stored data is compromised, it can be used for fraudulent purposes.

On the other hand, storing tokens is a method of replacing sensitive payment card information with a unique identifier called a token. Tokens are generated through a process known as tokenization, where the actual credit card data is securely stored by a tokenization provider or in a token vault. The token acts as a reference to the original card data, but it is meaningless and cannot be used to reconstruct the cardholder's sensitive information.

By storing tokens instead of credit card data, you reduce the risk associated with storing sensitive information. Even if the tokens are accessed by unauthorized individuals, they are useless without the corresponding tokenization system or vault that holds the actual card data. Tokenization is considered a more secure method for handling payment information and helps organizations achieve PCI compliance by minimizing the scope of sensitive data storage.

If my company doesn’t store credit card data, do we still need to be PCI compliant?

Even if your company does not store credit card data, PCI compliance may still apply to you, depending on your specific business operations and involvement with payment card transactions. Here are a few considerations:

• Processing, Transmitting, or Accepting Cardholder Data: If your company processes, transmits, or accepts credit card data, even if you don't store it, PCI compliance requirements still apply. This includes scenarios where you handle cardholder data during transactions, such as through online payment gateways, virtual terminals, or point-of-sale systems.
• Third-Party Service Providers: If your company engages with third-party service providers that handle cardholder data on your behalf, you have an obligation to ensure those service providers are PCI compliant. As a merchant, it is your responsibility to work with PCI-compliant service providers and maintain appropriate security controls in your relationship with them.
• Applicable SAQ: Based on your business operations and the scope of your involvement with payment card transactions, you may be required to complete a Self-Assessment Questionnaire (SAQ) to demonstrate compliance with the PCI DSS. There are different SAQ types available, and selecting the appropriate one depends on factors such as how you process payments, the amount of annual transactions your business does, the technology involved, and your network infrastructure.
• Liability and Security Best Practices: Even if you don't store credit card data, it is essential to follow security best practices and industry standards to protect sensitive information during payment processing. Implementing secure practices, such as using encryption, maintaining secure network environments, and regularly monitoring for vulnerabilities, helps mitigate the risk of data breaches and demonstrates a commitment to data security.

It is recommended that you consult a Qualified Security Assessor (QSA) or a PCI compliance professional to assess your specific business scenario and determine the extent of your PCI compliance obligations. They can provide guidance tailored to your organization's operations and help ensure that you are following the necessary security measures to protect cardholder data and meet industry standards.

My company wants to store credit card data. What methods can we use?

If your company intends to store credit card data, you need to implement secure methods to protect the sensitive cardholder information before accepting it. Storing cardholder data comes with increased responsibility and requires adherence to strict security measures. Here are a few methods commonly used for secure storage of credit card data:

• Tokenization: Tokenization involves replacing sensitive cardholder data with a unique identifier called a token. The actual cardholder data is securely stored in a separate system or with a trusted third-party provider. 
• Encryption: Encryption transforms the credit card data into an unreadable format using cryptographic algorithms. The encrypted data can only be decrypted with a specific encryption key. Strong encryption methods, such as AES (Advanced Encryption Standard), should be employed to protect the data both at rest and in transit.
• Secure Third-Party Storage: Instead of storing credit card data in-house, you can consider utilizing the services of a reputable third-party service provider specializing in secure cardholder data storage. These providers are typically certified and audited for compliance with PCI DSS and maintain robust security measures.

When implementing any of these methods, it is crucial to follow the Payment Card Industry Data Security Standard (PCI DSS) requirements and guidelines. These standards outline the necessary security controls for protecting cardholder data, including encryption, access controls, vulnerability management, and more.

It is strongly recommended to consult with a Qualified Security Assessor (QSA) or a PCI compliance professional to ensure that your chosen method aligns with PCI DSS requirements and best practices. They can provide guidance specific to your organization's needs and help you implement the most appropriate and secure solution for storing credit card data.

Can the full credit card number be printed on the consumer’s copy of the receipt?

No, printing the full credit card number on the consumer's copy of the receipt is not allowed under the PCI DSS. The PCI DSS requires that sensitive cardholder data, including the full primary account number (PAN), be protected and kept secure.

Is PCI DSS compliance mandatory for organizations that do not store cardholder data?

Organizations that do not store cardholder data may have a reduced scope for PCI DSS compliance compared to those that do store such data. However, they are still required to adhere to specific security measures outlined in the PCI DSS to protect cardholder data during payment processing and ensure the security of their payment environment. 

Even if an organization does not directly store cardholder data, it may still have access to sensitive cardholder information during payment transactions. For example, if an organization processes credit card payments online, over the phone, or in person, it likely handles cardholder data temporarily during the transaction process. This includes data such as credit card numbers, expiration dates, and cardholder names.

PCI DSS compliance is mandatory for all organizations that process, store, or transmit cardholder data, regardless of whether they store cardholder data themselves or use third-party payment processors to handle the data.

Is tokenization an acceptable method for protecting cardholder data?

Yes, tokenization is an acceptable method for protecting cardholder data and is widely used in the payment industry for this purpose. 

Tokenization is a process where sensitive cardholder data, such as credit card numbers, is replaced with a randomly generated string of characters called a token. The token has no meaningful value or relation to the original card data and cannot be used to perform a transaction or access the actual cardholder data.

By implementing tokenization, merchants and service providers can significantly reduce the scope of PCI DSS compliance requirements because the sensitive cardholder data is no longer present within their systems. 

Payments Questions

What is a payment gateway?

A payment gateway is a technology infrastructure that facilitates the secure transfer of payment information between a merchant's website or point-of-sale system and the payment processor or acquiring bank. It acts as an intermediary that encrypts and transmits sensitive cardholder data securely over the internet.

What constitutes a payment application?

A payment application refers to any software or application that is involved in the processing, transmission, or storage of payment card data. It includes both software applications installed on electronic devices (such as point-of-sale terminals, mobile payment apps, and payment gateways) and web-based applications used for e-commerce transactions.

PCI 4.0.1 (The latest version of the PCI DSS) Questions

When do I need to be compliant with PCI 4.0.1? 

Organizations had until March 31, 2024, before they no longer were be able to validate their compliance using version 3.2.1 of the SAQs.

Are there new requirements for e-commerce security? 

Yes. The updated PCI DSS version 4.0.1 introduces new requirements, including requirement 11.6.1, which specifically applies to SAQ A, SAQ A-EP, SAQ D merchants, and SAQ D service providers. This requirement mandates the implementation of change detection procedures and technologies to detect unauthorized modifications to HTTP headers and the content of the web pages that host the third-party service provider (TPSP) iframe.

To comply with this requirement, organizations need to have tamper-detection mechanisms in place that run at least weekly to identify any unauthorized changes to critical web pages. 

SecurityMetrics' Shopping Cart Monitor is a helpful tool that can assist in meeting this requirement by monitoring and detecting any unauthorized modifications to web pages.

What are the actual changes in v4.0.1? 

The release of PCI DSS version 4.0 may create some concerns for those who are only familiar with the current requirements. However, it's important to note that version 4.0.1 is not an entirely new standard. The 12 core PCI DSS requirements remain largely unchanged.

With the introduction of version 4.0.1, there are 64 new requirements, 11 of which are specifically applicable to service providers. It's worth noting that most of those new requirements were future-dated and were not enforced until March 31, 2025. However, there are some immediate changes related to documentation and targeted risk analysis that require attention.

Additionally, there are significant updates to the wording of certain questions within the PCI DSS assessment. For more detailed information on the specific updates to the requirements, you can see our blog posts here. 

What is the biggest change to SAQs in v4.0.1? 

SAQs will take longer to fill out compared to previous versions. Almost every question in the SAQ has been re-worded and re-ordered, meaning businesses will need to provide answers to additional questions, even if there have been no changes in their network.

To streamline this process and reduce the burden, our support agents have mapped many questions from the previous 3.2.1 version to the new 4.0 SAQ. By utilizing SecurityMetrics' FastPass, you can significantly reduce the number of questions you need to answer and save time.

It's also important to highlight a specific change for SAQ A merchants. While vulnerability scanning was not previously required for SAQ A, it is now a mandatory requirement. This might be new or challenging for merchants who haven't conducted scans before. To ensure a smooth experience and avoid potential failures, it is advisable to seek assistance in setting up and conducting the scans.

SFF (Formerly known as PA-DSS) Questions

What is an SSF assessment? 

SSF, or Secure Framework Software, is a compliance standard that specifically targets software vendors who develop point-of-sale (POS) applications used for accepting credit card payments. The purpose of SSF is to ensure that these payment applications are designed and implemented securely, following best practices and industry standards. During an SSF assessment, vendors undergo a validation process to demonstrate their compliance with SSF requirements.

Vulnerability Scanning Questions

What is a vulnerability scan?

A vulnerability scan is a security assessment technique that identifies potential vulnerabilities and weaknesses in a computer system, network, or application. It involves using automated tools to scan the target system and identify known vulnerabilities, misconfigurations, and security issues that could be exploited by attackers.

During a vulnerability scan, the scanning tool examines various aspects of the system, including network ports, services, protocols, software versions, and configurations. It compares the information gathered against a database of known vulnerabilities and security checks to identify any areas of concern.

Do I need vulnerability scanning to validate compliance?

Yes, vulnerability scanning is one of the requirements for validating compliance with the Payment Card Industry Data Security Standard (PCI DSS). 

Under the PCI DSS, both external and internal vulnerability scans are required. External vulnerability scanning involves scanning your external network and systems from the perspective of an outside attacker. Internal vulnerability scanning focuses on scanning your internal network and systems to identify any vulnerabilities that could be exploited from within.

The scans must be performed by an Approved Scanning Vendor (ASV), which is a company authorized by the PCI Security Standards Council to conduct PCI-compliant vulnerability scans. The ASV will provide you with a scan report that identifies any vulnerabilities found and recommendations for remediation.

How often do I need to have a vulnerability scan?

The frequency of vulnerability scanning depends on the requirements of relevant security standards and best practices, as well as the specific needs and risk profile of your organization. Here are some general guidelines:

• PCI DSS: The Payment Card Industry Data Security Standard (PCI DSS) requires organizations to conduct external and internal vulnerability scans at least quarterly. Additionally, organizations must perform scans after any significant changes to the environment that could introduce new vulnerabilities.
• Industry Best Practices: Many security experts recommend conducting vulnerability scans on a more frequent basis, such as monthly or even weekly, especially for organizations with high-security requirements or those operating in rapidly evolving environments.
• Risk Assessment: Your organization's risk assessment can also help determine the appropriate frequency of vulnerability scanning. If your risk assessment identifies higher risks or a dynamic threat landscape, more frequent scanning may be necessary to stay ahead of potential vulnerabilities.

Regular scanning helps identify new vulnerabilities that may emerge over time due to software updates, configuration changes, or emerging threats. By conducting scans at regular intervals, you can continuously monitor your systems for potential vulnerabilities and take appropriate actions to remediate them promptly.

Working with C-Suite Questions

What are the consequences of non-compliance with PCI DSS?

Refusing to cooperate with compliance standards, specifically the PCI DSS or being generally non-compliant can have serious consequences for your business. Here are some potential outcomes of non-compliance:

• Fines and Penalties: Card brands and acquiring banks may impose fines on non-compliant businesses. These fines can be substantial and can escalate over time if compliance issues persist.
• Increased Liability: Non-compliance puts your business at higher risk for data breaches and fraud incidents. In the event of a security breach, your business may be held liable for damages, including costs associated with forensic investigations, notification of affected individuals, and potential legal actions.
• Termination of Payment Processing Services: Acquiring banks and payment processors may terminate their services to non-compliant businesses. This can severely impact your ability to accept credit card payments and can lead to loss of customers and revenue.
• Damage to Reputation: Non-compliance with industry standards can damage your business's reputation and erode customer trust. News of a data breach or failure to meet compliance requirements can lead to negative publicity and loss of customer confidence.
• Legal Consequences: Non-compliance with PCI DSS or other regulatory requirements may expose your business to legal actions, including lawsuits from affected individuals or regulatory authorities.

It is essential for businesses to take compliance seriously and ensure they meet the necessary requirements. Implementing security measures and following best practices not only protect your customers' sensitive data but also safeguard your business from the financial and reputational risks associated with non-compliance.

Data Breach Questions

What should I do if I’m compromised?

If you believe your business has been compromised by a cyberattack or data breach, taking immediate action is crucial to limit the damage and protect your sensitive information. Here are the key steps you should follow if you suspect a compromise:

• Isolate and Contain: As soon as you suspect a compromise, isolate the affected systems from the network to prevent further spread of the attack. This may involve disconnecting the affected computers from the internet or the local network.
• Notify the Right Parties: Inform your IT team or IT service provider about the potential breach. If you have a dedicated cybersecurity team or a Managed Security Service Provider (MSSP), involve them immediately. Also, consider notifying law enforcement and your local authorities, especially if sensitive customer data has been compromised.
• Preserve Evidence: Before taking any corrective actions, gather as much evidence as possible about the breach. Document any unusual activities, signs of compromise, or suspicious log entries. This evidence will be valuable for investigation and potential legal actions.
• Engage a Forensic Investigator: If you lack in-house expertise, consider hiring a reputable cybersecurity firm to conduct a thorough forensic investigation of the breach. They can identify the cause of the compromise, the extent of the damage, and help prevent future incidents.
• Notify Affected Parties: If customer data or personal information has been compromised, promptly notify affected individuals about the breach as required by data protection laws and regulations. Provide clear and transparent information about what data was exposed and the steps you are taking to address the situation.
• Assess and Remediate: Work with your IT team or cybersecurity experts to assess the damage and remediate the breach. This may include patching vulnerabilities, removing malware, and enhancing security measures.
• Implement Enhanced Security Measures: After resolving the immediate threat, implement additional security measures to prevent similar incidents in the future. This may involve strengthening access controls, enhancing monitoring and detection systems, and training employees about cybersecurity best practices.
• Communicate with Stakeholders: Keep your customers, employees, business partners, and other stakeholders informed about the situation and the steps you are taking to improve security.
• Learn from the Incident: Conduct a post-incident review to understand how the breach occurred and what weaknesses or gaps in security allowed it to happen. Use this information to update and improve your cybersecurity policies and procedures.
• Monitor and Stay Vigilant: Continuously monitor your systems for any signs of suspicious activity and stay vigilant against potential threats.

Remember that responding to a compromise is time-sensitive. The longer a breach goes undetected and unaddressed, the greater the potential damage. If you are unsure about how to proceed or lack the expertise to handle the situation, consider engaging a reputable cybersecurity firm or contacting your local law enforcement for guidance.

State Law Questions

Do states have laws requiring data breach notifications to the affected parties?

Yes, many U.S. states have data breach notification laws that require notifying affected individuals if personal information is compromised. Each state's law varies in requirements, including the definition of personal information, notification timeline, content, and exceptions. Some states may also require reporting to regulators. Additionally, federal laws like HIPAA and GLBA have specific data breach notification requirements for certain industries and data types.

Additional PCI FAQs:

What is payment card industry compliance or the PCI data security standard?

The Payment Card Industry Data Security Standard (PCI DSS) was established in 2006 by the major card brands (i.e., Visa, MasterCard, American Express, Discover Financial Services, JCB International).

All businesses that process, store, or transmit payment card data are required to implement the standard to prevent cardholder data theft. Your card-handling practices and processing environment determine which PCI DSS requirements apply to your business.

What is PCI validation?

The Payment Card Industry Security Standards Council mandates that all merchants comply with the PCI standard. Annual validation (or proof) is mandated by some merchant processors and is a way of documenting your compliance. Validation requirements vary based upon annual payment card transactions and may require a self-assessment or independent onsite audit.

Who is required to become PCI compliant?

All businesses that process, store, or transmit payment card information are required to comply with the PCI DSS.

Why haven't I heard of PCI compliance until now?

PCI compliance was first mandated in 2006. The Payment Card Industry Security Standards Council, the card brands, and your merchant processor are doing their best to make sure all merchants are aware of the standards.

Is PCI compliance required by law?

The government does not regulate PCI*; however, when you signed your payment card contract—and confirmed your desire to accept credit and debit cards at your business—you agreed to follow card brand rules. If you wish to safely accept Visa, MasterCard, JCB, American Express, and Discover, you must comply with PCI DSS.

*Note: Some states, including Nevada, Minnesota and Washington, have incorporated PCI DSS compliance into their state laws.

When is the deadline to become PCI compliant?

For most merchants, the deadline for compliance has already passed. Contact your merchant processor to receive details on your merchant account. The sooner you become compliant, the less likely you are to be hacked.

What happens if I don't become PCI compliant?

If you are not PCI compliant, you are more vulnerable to data compromise, and may also be fined by your merchant processor and/or the card brands for not validating PCI compliance.

I only process a few cards a year. Do I still need to be PCI compliant?

Yes. Even if you only process one transaction per year, you must implement the PCI DSS in your processing environment.

See also: 10 PCI Security Standard Myths

What is required to become PCI compliant?

Typical steps for merchants to become PCI DSS compliant include, but are not limited to:

• Determine your PCI DSS validation type (this informs your requirements)
• Address all requirements found in your Self-Assessment Questionnaire (SAQ) (e.g., external vulnerability scans, penetration tests, employee training, etc.)
• Attest to your compliance annually
• Complete and report quarterly results of all scans performed by an Approved Scanning Vendor (ASV)

See also: Is Your E-Commerce Business PCI Compliant?

What is a PCI compliance certificate?

Some QSA/ASV companies provide certificates confirming that an organization is PCI DSS compliant. An actual compliance certificate is not mandatory, and you don’t necessarily need a certificate to be PCI compliant.

Am I PCI compliant if my site has an SSL/TLS certificate?

Unfortunately, no. An SSL/TLS certificate is an important element in a secure website, but alone does not meet PCI DSS requirements.

Do I need to be PCI compliant if I don't use a computer to process credit cards?

Yes. PCI compliance doesn't require a connection to the Internet or even a computer system. PCI compliance is determined by the way that you store, handle, or process credit card information, whether the card information is in a locked filing cabinet or on the computer.

Who enforces PCI compliance?

Generally speaking, your merchant bank enforces PCI DSS compliance. The PCI Standards Security Council was formed in 2006 by the major card brands (i.e., Visa, MasterCard, American Express, Discover Financial Services, JCB International) to regulate, maintain, evolve and promote PCI DSS compliance.

See also: How Much Does PCI Compliance Cost?

What should I do if I think my business has been compromised?

Disconnect your system from the Internet, call your merchant processor, and call a forensic investigator. PCI forensic investigators help you find and fix the security holes in your processing environment. They help you identify how and when attackers breached your systems, determine if card data was compromised, and document for the card brands your efforts to remediate the vulnerabilities that lead to the data breach.

See also: The 6 Phases in an Incidence Response Plan

What is SecurityMetrics' role in PCI compliance?

SecurityMetrics helps businesses get PCI compliant. We help merchants validate compliance and implement the Payment Card Industry Data Security Standard. SecurityMetrics is an Approved Scanning Vendor and is certified to perform PCI scans, onsite PCI audits, payment application software audits, point-of-sale terminal security audits, penetration tests, and forensic analysis (to assess card data compromises.)

SecurityMetrics QSAs & experts hold certifications like:

• Certified Information Systems Security Professional (CISSP)
• Certified Information Systems Auditor (CISA)
• PCI Forensic Investigator (PFI)
• Approved Scanning Vendor (ASV)
• Qualified Security Assessor (QSA)
• Payment Application Qualified Security Assessor (PA-QSA)
• Point-to-Point Encryption Qualified Security Assessor (P2PE QSA)
• HealthCare Information Security and Privacy Practitioner (HCISPP)

My SecurityMetrics account has just been created, what now?

You should log in to your account and begin the process of becoming PCI compliant. Start by going through each section of the SAQ.

If you have more questions about PCI Compliance or anything related to data security, contact one of our experts.