PCI Compliance FAQ's
What are the deadlines for complying with PCI DSS?
Compliance is mandated by the payment card brands and not by the PCI Security Standards Council. However, for most merchants, the deadlines for validating compliance with the PCI DSS have already passed. You should check with your acquirer and/or merchant bank to check if any specific deadlines apply to you, based on merchant transaction volume (level) as determined by the card payment brands. All entities that transmit, process or store payment card data must be compliant with PCI DSS.
I’m a small merchant who has limited payment card transaction volume. Do I need to be compliant with PCI DSS? If so, what is the deadline?
All merchants, whether small or large, need to be PCI compliant. The payment brands have collectively adopted PCI DSS as the requirement for organizations that process, store or transmit payment cardholder data. PCI SSC is responsible for managing the security standards while each individual payment brand is responsible for managing and enforcing compliance to these standards. For questions regarding compliance validation requirements and deadlines as well as compliance reporting requirements, we recommend that you contact your acquirer. For more information regarding the PCI security standards and supporting documentation, including the “Navigating the PCI DSS” as well as targeted Self Assessment Questionnaires to assist small and medium merchants, please visit the PCI SSC website at: www.pcisecuritystandards.org.
How do I determine if my organization is eligible to complete one of the shorter Self-Assessment Questionnaire (SAQ) versions?
The SAQ is a validation tool for merchants and service providers who are not required to undergo an on-site data security assessment per the PCI DSS Security Audit Procedures. Please consult your acquirer and/or payment brand for details regarding PCI DSS validation requirements. The Self-Assessment Questionnaire Instructions and Guidelines (https://www.pcisecuritystandards.org/pdfs/instructions_guidelines_v1-1.pdf) document has been developed to help merchants and service providers understand the PCI Data Security Standard Self-Assessment Questionnaire (SAQ)
Is encrypted cardholder data considered cardholder data that must be protected in accordance with PCI DSS?
The Council will be developing more formal guidance around this topic, leveraging information that is received through the various channels of the DSS lifecycle feedback process. Until further guidance is provided by the Council, the following should be taken into consideration regarding encrypted cardholder data.
Encryption solutions are only as good as the industry-approved algorithms and key management practices used, including security controls surrounding the encryption/decryption keys (“Keys”). If Keys are left unprotected and accessible, anyone can decrypt the data. The DSS has specific encryption key management controls (DSS 3.5 and 3.6), however, other DSS controls such as firewalls, user access controls, vulnerability management, scanning, logging and application security provide additional layers of security to prevent malicious users from gaining privileged access to networks or cardholder data environments that may grant them access to Keys. It is for this reason that encrypted cardholder data is in scope for PCI DSS.
However, encrypted data may be deemed out of scope if, and only if, it has been validated that the entity that possesses encrypted cardholder data does not have the means to decrypt it. Any technological implementation or vendor solution should be validated to ensure both physical and logical controls are in place in accordance with industry best practices, prohibiting the entity, or malicious users that may gain access to the entity’s environment, from obtaining access to Keys.
Furthermore, service providers or vendors that provide encryption solutions to merchants who have administrative access and controls to Keys along with the management of termination points for encryption to process transactions, are required to demonstrate physical and logical controls to protect cryptographic keys in accordance with industry best practices (such as NIST referenced in PCI DSS requirement 3.6), along with full compliance with PCI DSS.
Merchants should ensure their solution providers who provide key management services and/or act as the point of encryption/decryption are in compliance with PCI DSS. Merchants should be aware that encryption solutions most likely do not remove them completely from PCI DSS. Examples of where DSS would still be applicable include usage policies, agreements with service providers that deploy payment solutions, physical protection of payment assets and any legacy data and processes (such as billing, loyalty, marketing databases) within the merchant’s environment that may still store, process or transmit clear text cardholder data, as that would remain in scope for PCI DSS.
How does PCI DSS apply to individual PCs or workstations?
All system components in the network are considered part of the cardholder data environment unless adequate network segmentation is in place that isolates systems that store, process, or transmit cardholder data from those that do not. Without proper network segmentation, the entire network is in scope for the PCI Data Security Standard, and all PCI Data Security Standard requirements apply. QSAs can advise their clients on how to implement network segmentation to reduce PCI DSS scope. Where there are many PCs or workstations in an environment and all PCs do not need access to the cardholder data environment (CDE), the network segmentation should provide access to the CDE for all PCs that need access, and should prohibit access for all other PCs. With such segmentation in place, PCI DSS requirements are relevant to, and should be applied to, only that smaller PC population. Regarding the applicability of each PCI DSS requirement to an individual PC, the QSA should also consider features that are part of the PC’s basic functionality (for example, logging or file integrity monitoring) or are part of existing network controls, and determine whether these features meet the intent of PCI DSS requirements to protect cardholder data stored, processed, or transmitted by these PCs.
As a merchant, what SAQ form should we complete?
This is the answer: For each SAQ form, the merchant can find a sub-section entitled “Eligibility to Complete SAQ” in the Attestation section www.pcisecuritystandards.org/saq/index.shtml. If the merchant is able to answer yes, to each question on the attestation form, then that particular form would be applicable in terms of validating compliance with the PCI DSS. We also recommend that the merchant contact their acquirer to ensure that they are completing the correct SAQ form.
What are the consequences to my business if I do not comply with the PCI DSS?
The PCI Security Standards Council encourages all businesses that store payment account data to comply with the PCI DSS to help lower their brand and financial risks associated with account payment data compromises. The PCI Security Standards Council does not manage compliance programs and does not impose any consequences for non-compliance. Individual payment brands, however, may have their own compliance initiatives, including financial or operational consequences to certain businesses that are not compliant.
Does PCI DSS apply to merchants who use payment gateways to process transactions on their behalf, and thus never store, process or transmit cardholder data?
PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply. However, under PCI DSS requirement 12.8, if the merchant shares cardholder data with a third party processor or service provider, the merchant must ensure that there is an agreement with that third party processor/service provider that includes their acknowledgement that the third party processor/service provider is responsible for the security of the cardholder data it possesses. In lieu of a direct agreement, the merchant must obtain evidence of the third-party processor/service provider’s compliance with PCI DSS via other means, such as via a letter of attestation.
Can I fax CC numbers and still be PCI Compliant?
It is required that any cardholder data that any entity stores, processes, or transmits must be protected in accordance with PCI DSS. If faxes or emails are sent or received via modem, these are not considered to be traversing a public network. On the other hand, if a fax or email is sent or received via high-speed connections over the internet, they are traversing a public network and these transmissions must be encrypted per PCI DSS requirements 4.1 and 4.2. Also, any cardholder data on the fax or email that is electronically stored must comply with PCI DSS requirement 3.4 to render the cardholder data unreadable (or be protected by applicable compensating controls).
In addition, requirement 3.2 prohibits storage after authorization of sensitive authentication data (magnetic stripe, CAV2, CVC2, CVV2, CID and PIN block data). To ensure that prohibited data is not stored if received on a fax (for faxes and emails, this would only be the CAV2, CVC2, CVV2, or CID values printed on the front or back of payment cards), the data should be blacked-out prior to retaining the fax in paper form, and the original fax transmission (via email, etc.) should be deleted from the system (in a non-recoverable manner).
Any entity should also protect paper documents that contain cardholder data in accordance with PCI DSS requirements 9.6 through 9.10. For example, requirement 9.6 states “Physically secure all paper and electronic media (including computers, electronic media, networking and communications hardware, telecommunication lines, paper receipts, paper reports, and faxes) that contain cardholder data.”
Does PCI DSS apply to paper with cardholder data (receipts, reports, etc.)?
PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted by any media, including paper records.. PCI DSS requirements 9.6 through 9.10 specifically address the safeguarding of paper records containing cardholder data.
Does PCI DSS apply to debit cards, debit payments, and debit systems?
Any payment card (credit, debit, prepaid, stored value, gift or chip) bearing the logo of one of the PCI Security Standards Council’s five founding payment brands is required to be protected as prescribed by the PCI DSS.