Here are a few of our frequently asked questions.

What is PCI DSS and who defines the standards?

The PCI DSS, which stands for Payment Card Industry Data Security Standards, is a set of requirements designed to protect cardholder data wherever it is processed, stored or transmitted. These standards were developed in 2006 by the five founding global payment brands - American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa, Inc. – and they are administered and managed by the Payment Card Industry Security Standards Council.

Are all merchants and service providers required to comply with the PCI DSS?

Yes, all merchants, regardless of size, that store, process or transmit cardholder data must comply with the Payment Card Industry Data Security Standards. All businesses are susceptible to breaches. Small businesses are often the most vulnerable.

Is compliance a one-time requirement?

No. Securing your business is an ongoing process. The Payment Card Data Security Standards are enhanced periodically to protect your business from a breach. Unfortunately, threats from thieves and hackers are constantly evolving. Keep in mind that your business practices may change over time and the practices you use to protect your customers’ credit card information may need to be adjusted to follow these changes.

Every merchant is required to complete a self-assessment questionnaire at least every 12 months. Additionally, merchants that require a network vulnerability scan must complete the scan at least every 90 days.

If I use a third party software developer or internet payment gateway, do they need to be in compliance with PCI DSS?

Yes, any third-party software provider or Internet payment gateway that processes, transmits or stores cardholder data must be compliant. You must check with your provider to confirm their compliance status. If you use a provider that is not compliant, you should discontinue use of that provider.

You can find a list of PCI Compliant service providers by clicking here.

Is there a deadline to validate compliance?

As a merchant that stores, processes or transmits cardholder data, it is your responsibility to be PCI compliant. You have 30 days from the date of enrollment into the PCI Smart program to validate compliance. If you have any questions regarding your date of enrollment, you should contact the PCI Helpdesk for further assistance.

How long does the compliance process take?

The length of time depends on the complexity and size of your business. We have designed the process to be as time-effective as possible. For example, for small merchants without complex credit card processing environments, it could take 15-30 minutes, assuming no non-compliance issues are discovered. However, if non-compliance issues are identified, the length of time it takes an organization to implement solutions to resolve these issues will affect the length of the compliance process. The length of time also varies depending on the resolution and the complexity of the environment.

For more complex merchants, PCI Smart will scale to your needs, and has been designed to allow you to complete the process in stages—for example 10 minutes at a time. As you complete each stage, your information is saved throughout to allow you to easily come back later and resume the process.

Please complete the registration step and take inventory of what you need to do.

What if I decide not to go through the PCI compliance process?

Per the major card associations, the penalties and fines for failure to comply with requirements or to rectify a security issue can be severe. These fines range from $10,000 to $500,000 per incident. If a security breach occurs in your business, you could be liable for at least the cost of the required forensic investigations, as well as covering the costs of fraudulent purchases, and the costs of re-issuing the stolen cards.

Beyond the direct fines, your business could also lose credit card acceptance privileges, at least for a period of time. Furthermore, you may also experience a loss of customer confidence as customers discover your business is not doing as much as others to protect their private information.

Where can I find more information about PCI DSS?

The full Payment Card Information Data Security Standards is managed by the PCI Security Standards Council.

Click here to find out more information.

Looking for more information?

Fill out the form below and our PCI Help Desk will contact you within 1 business day. Please do not place any personal or credit related information in the comment box.

Your message has been sent successfully.
There was a problem validating the form. Please retry or contact the site administrator.
We have detected that this submission might be a bot. If you are not, please wait for message to appear near the submit button to indicate when it is safe to submit your contact information.
You must enter a name.
You must enter a company.
You must enter a business phone.
You must enter a valid e-mail address.
You must enter an address.
You must enter a message.