The PCI Security Standards Council (PCI SSC) created a set of security requirements—known as the PCI Data Security Standard (PCI DSS)—for merchants and service providers that store, process, or transmit cardholder data. To demonstrate compliance with the PCI DSS, merchants and service providers may be required to validate and conduct a network security scan on a regular basis as defined by the PCI Security Standards Council.

The PCI DSS originally began as five different programs from the five credit card schemes. Each company’s intentions were roughly similar: to create an additional level of protection for consumers by ensuring that merchants meet minimum levels of security when they store, process, and transmit cardholder data.

The PCI SSC was formed as a neutral body to address conflicts among the credit card schemes in developing a standard. On December 15, 2004, the credit card schemes aligned their individual policies and released the Payment Card Industry Data Security Standard (PCI DSS).

To comply with the PCI DSS, a merchant must first complete a Self-Assessment Questionnaire (SAQ) on an annual basis. During the fall of 2010, a new SAQ was launched and was re-designed to make the questions more relevant. There are now five parts, and depending on how the company stores and/or processes data, the questionnaire will determine the number of questions that need to be answered and whether quarterly vulnerability scanning is required. Companies also need to make sure they attest to the truthfulness and accuracy of their responses on the SAQ.

For those required to complete quarterly vulnerability scanning, it is an indispensable tool to be used in conjunction with a vulnerability management program. Scans help identify vulnerabilities and misconfigurations of websites and IT infrastructures containing externally facing IP addresses.

Scan results provide valuable information that support efficient patch management and other security measures that improve protection against Internet hacking.

All merchants need to fill out the PCI Compliance form, including Level 1 merchants. If you are
a merchant or service provider and accept credit cards, you must validate PCI compliance at least annually. There is no way around this. If you need any help throughout the compliance process, call our PCI specialists at 718-782- 2823 x110.

Network security scans are required of all merchants and service providers with external-facing IP addresses that collect, process, or transmit payment account information. However, even if an entity does not offer web-based transactions, there may be other services that make systems Internet accessible. Basic functions such as email and employee Internet access may result in the Internet accessibility of a company’s network. These seemingly insignificant paths to and from the Internet can provide unprotected pathways into merchant and service provider systems and can potentially expose cardholder data if not properly controlled.

All merchants are required to provide an annual attestation of compliance, which means that a Self-Assessment Questionnaire (SAQ) must be submitted and attested to yearly. In addition to the SAQ, merchants who process credit cards through an Internet connection may need a quarterly vulnerability scan from an Approved Scanning Vendor (ASV).

Every merchant must maintain PCI compliance and re-certify annually, quarterly, or as otherwise required. The SAQ (and vulnerability scan, if applicable) must be satisfactorily completed and submitted in order to receive your certification. It is important to remember that the card associations implemented PCI compliance in order to protect YOU.

PCI compliance is the minimum level of security you need to adopt to help keep your customers’ card data is safe and protect it from being susceptible to hackers and fraud — which can cost you heavy fines and lawsuits. You can help avoid having to implement timely network vulnerability scans by integrating Fidelity’s PCI-ready solutions such as Clover POS systems and iFields technology into your system.

If you need any help throughout the compliance process, call our PCI specialists
at 718-782- 2823 x110.

All PCI scans must be conducted by a third-party compliant network security scanning vendor, selected from the list of approved vendors at https://www.pcisecuritystandards.org/. All compliant scanning vendors are required to conduct scans in accordance with a defined set of procedures. These procedures dictate that the normal operation of the customer environment is not to be impacted and that the vendor should never penetrate or alter the customer environment.

Information about merchant levels and service provider levels can be found at https://www.pcisecuritystandards.org/.

Companies certified as a PCI security scanning vendors help merchants and their consultants achieve compliance with the PCI Data Security Standard. While each PCI compliance service varies, ideally they should provide on-demand compliance testing and reporting service. Merchants should be able to run PCI compliance scans, complete the appropriate PCI Self-Assessment Questionnaire, and submit compliance reports directly to acquiring banks.

Depending on your validation category, network security scans may be required every 90 days by an approved PCI scanning vendor. For more information, consult the payment brands or your acquiring bank.

Your acquiring bank can confirm, but typically all level 1, 2, 3, and 4 merchants and service providers must complete a PCI Self-Assessment Questionnaire on an annual basis.

Yes. There is a common misunderstanding that small merchants handling only a few credit cards a day are exempt from compliance. If you are a merchant and are set up to take credit cards by any mechanism, you need to be complaint.

No, PCI applies to every company that stores, processes, or transmits cardholder information.
In fact, anyone who takes card present transactions that involve POS devices are typically more at risk than e-commerce solutions. Quite often these types of transactions involve storage of track data, which is forbidden under PCI rules. Compromise of this type of data may bring heavy fines and requests for compensation from the banks involved.

No. The pass mark for PCI is 100%, so if you fail even one of the criteria, you are not in compliance with PCI. The standard is not meant to be something to strive for; it is essentially a floor; a basis for further security measures. Failing to achieve even one of the requirements is failing to meet a basic standard for handling cardholder information. All companies that routinely handle this type of data should be aiming to exceed the standard. It’s just good business practice.

No. The Self-Assessment Questionnaire is a mechanism for getting information about the level of your compliance to your merchant bank or to the card associations. The standard applies at all times. Just saying yes to the questions without making the correct changes to your system puts you at great risk. If a compromise took place and it was obvious that you were not and have never been compliant, the matter would be taken very seriously by the card associations. You would be risking your whole business by answering “yes” to the questions incorrectly.

No. The PCI standard forms part of the operating regulations that are the rules under which merchants are allowed to operate merchant accounts. The regulations signed when you open an account at the bank state that the card association’s regulations have to be adhered to. Even if you have been in business for decades, PCI still applies if you store, process, or transmit credit cards.

Many merchants believe that they own the customer and have a right to store all the data about that customer in order to help their business. Not only is this incorrect regarding PCI, it may also be a violation of State and Federal legislation regarding privacy as well as the European Union’s General Data Protection Regulation (GDPR). See our blog post It’s Not Too Late to Comply with GDPR for more information.

Merchants are allowed to store PAN (Primary account numbers) only. The PCI regulations specifically forbid storing of any of the following:

• Unencrypted credit card number
• CVV or CVV2
• Pin blocks
• PIN numbers
• Track 1 or 2 data

If any of the above is found at a merchant’s location in databases, log files, audit trails, or backups, etc., it can result in serious consequences for the merchant, especially if a compromise has taken place.