PCI Requirements FAQs

How do I know if my business qualifies to do a self-assessment?

All small to medium sized business can complete the Questionnaire unless they process more than a million cards a year.

What exactly is the Payment Card Industry Data Security Standard?

The Payment Card Industry Security Standards Council, comprised of American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. have recently updated their global policies to protect cardholder data. As a result of increased credit card fraud, the Security Standards Council has modernized the standards in an effort to obstruct and prevent further theft of personal information. The new PCI requirements are strictly enforced by the payment card brands to all merchants who transmit, store, or process credit card information.

What happens if I do not become compliant?

The individual payment brands, (Visa, American Express, Discover, JCB, and MasterCard), all have their own consequences for non-compliance. See question 8 for more details. Taking the time to become compliant and remaining vigilant about securing cardholder information from theft will not only protect your company in case of a security breech, but will also build the trust in your customers. Click here to start the process of meeting the PCI requirements!

The full credit card number is visible in my browser window, is this allowed?

PCI DSS requires that the personal account number, (PAN), be masked whenever possible. Occasionally, there may be a valid business need to view the PAN. In these circumstances, security software needs to be installed so the PAN is not continually displayed on the screen.

Who is considered a merchant?

A merchant is someone who accepts credit cards as a form of payment. A merchant stores, processes, or dispatches cardholder data.

There are only X number of administrators who access credit card information at my business, can all administrators share one password?

Unfortunately, no. Each administrator must have his or her own unique user ID and corresponding password. This PCI requirement helps businesses track any possible misuse back to the individual promptly.

Who enforces the compliance of PCI DSS?

Compliance with PCI DSS is enforced by the individual payment brands, (Visa, American Express, Discover, JCB, and MasterCard), and each have their own compliance programs for enforcement.

What fines will I incur if I do not comply with the new standards?

Merchants will be fined up to $500,000 per incident if they are not PCI compliant at the time of the security breach. Start the process of becoming a PCI compliant merchant by clicking here.

If I use a payment gateway and do not process transactions, do I still have to follow the guidelines of PCI DSS?

If the Primary Account Number (PAN) is not stored processed, or transmitted, then the requirements of PCI DSS are not applicable. If the merchant shares cardholder information with a third-party processor, the merchant is responsible for making certain that the third-party processor follows PCI-DSS standards.

Where can I find assistance for completing the Self-Assessment Questionnaire?

We recommend seeking guidance from a professional with questions pertaining to the Self-Assessment Questionnaire. Click here to start completing the PCI Questionnaire. Our contact information can be viewed here.

If my organization has recently validated compliance against the PCI DSS Questionnaire version 1.0, when will my validation expire?

Your validation will expire in one year.

Am I compliant after I complete the Self-Assessment Questionnaire?

Technically, you are compliant after completing the Self Assessment Questionnaire; however, ongoing assessments and monitoring is required to maintain a secure system. Any changes in your system can render you non-compliant instantaneously.