PCI Compliance FAQ

Frequently Asked Questions

Frequently Asked PCI Questions

Who is the PCI and why should I care?

The major players in the credit card business (Visa, MasterCard, American Express, Discover and JCB) have banded together to reduce credit card data loss. They created the Payment Card Industry Security Standards Council and that council established a standard for security of cardholder data and has released it as the PCI Data Security Standard (PCI DSS).

The Council has no legal authority, and each of the various card companies apply the Data Security Standard in their own way, but ultimately if your business wishes to do credit card (or debit card) transactions, then it will be required to adhere to the standards.

What is Payment Card Industry (PCI) DSS compliance?

All companies that accept, store, process or transmit credit card information are each required to report compliance with the Data Security Standard (DSS). If your company accepts cards or stores or transmits cardholder info, then it needs to meet the security requirements the card companies have set out in the DSS.

Many millions of electronic credit card records are stolen every year and nearly all data losses are the result of hackers finding and exploiting relatively well known and understood weaknesses (vulnerabilities) in web sites, web applications, web and database servers or networks. So in theory, if all businesses that handle card data find and eliminate their vulnerabilities, card data loss would be reduced.

How does PCI Compliance impact my company?

There are 4 PCI compliance levels and your company fits into one of them, depending on how the card data is handled and the number of credit card transactions it completes each year. It has fewer requirements if it processes 20,000 transactions or less per year or if the card data is handled entirely by vendors, such as a shopping cart provider. The highest PCI Compliance requirements are for companies that handle 6 million transactions a year or more or which write their own code, store card data and run their own servers.

What do we need to do to be PCI Compliant?

It depends first of all on how many credit card transactions it accepts, stores, processes or transmits on an annual basis. There are 4 Levels based on volume. Within each Level there may be different versions of compliance based on what your company does with the credit card data and how it is acquired, stored and transmitted.

Less than 20,000 transactions per year: Level 4. If a business electronically stores credit card holder information or if its processing systems have internet connectivity, it must;

  1. Secure a regular network scan by an Approved Scanning Vendor
  2. Do an annual Self Assessment Questionnaire (see below)
  3. Complete an Attestation of Compliance (see below)

20,000 to 1 million: Level 3

  1. Secure a regular network scan by an Approved Scanning Vendor
  2. Do an annual Self Assessment Questionnaire
  3. Complete an Attestation of Compliance

1 to 6 million: Level 2

  • Secure a regular network scan by an Approved Scanning Vendor
  • Do an annual Self Assessment Questionnaire
  • Complete an Attestation of Compliance

6 Million plus: Level 1

  • Secure a regular network scan by an Approved Scanning Vendor
  • Have a Qualified Security Assessor do an annual Report on Compliance
  • Complete an Attestation of Compliance

What does PCI compliance cost?

  • Level 4, less than 20,000 transactions a year: If credit card holder information is electronically stored or if processing systems have internet connectivity, then an Approved Scanning Vendor must complete a regular network or web site scan and your staff must complete a Self Assessment Questionnaire and Attestation of Compliance. Cost could be as low as $60 a month.
  • Level 3, 20,000 to 1 million transactions a year: Your cost will involve a regular network or web site scan by an Approved Scanning Vendor, plus the cost of completing the annual Self Assessment Questionnaire and Attestation of Compliance. The network or web site scan cost will be as low as $1,200 a year and will go up from there based on the size of your network and number of number of IP addresses.
  • Level 2, 1 to 6 million transactions a year: Costs range from $10,000 to $50,000 a year, depending upon size of network and number of IP addresses.
  • Level 1, 6 million or more transactions a year: Your costs will involve a regular network scan by an Approved Scanning Vendor, an annual Report on Compliance by a Qualified Security Assessor and an Attestation of Compliance. Costs: $50,000 and up.

If our vendors are PCI compliant, aren't we?

Sorry, no. Your company needs to prove PCI DSS compliance by completing the appropriate Self Assessment Questionnaire, securing a regular scan by an Approved Scanning Vendor and filing an Attestation of Compliance. The good news is that if card data is handled exclusively by vendors the Questionnaire is brief and completing all compliance steps is easy to do.

What can my company do to meet PCI standards?

Quite a bit actually. Depending on its size and how it handles card information it may not need to do much at all. If a business does card imprints on paper it probably doesn't need to do anything more than keep the accounting data secure and doors locked. All other companies need to do at least a Self Assessment Questionnaire and an Attestation of Compliance.

Most PCI compliance will involve getting regular network or web site scans done by an Approved Scanning Vendor. The Level 1, very largest companies are also required to secure the assistance of a Qualified Security Assessor to do an annual on-site evaluation. Companies that handle fewer than 6 million card transactions a year should be able to fully meet PCI compliance standards with some work by their own staff and the assistance of an Approved Scanning Vendor.

Can we do our own Self Assessment Questionnaire?

Yes, the Self Assessment Questionnaire is well named in that it is intended to be completed by your own staff. Companies that outsource all web application, card data handling and server functions will have the least to do. Companies that write their own code and manage their own data storage will need some input from their technical staff. The first time through it will take the longest and subsequent filings will go much faster.

There are 5 versions of the Questionnaire. Version A is just a couple of pages long and could be done in less than an hour, including all the reading it requires. Version D is just 3 pages long for merchants, much more involved for service providers.

Determine which Questionnaire version applies to your company and download it here:
Self Assessment Questionnaires A through D

What is the PCI DSS Attestation of Compliance?

Your company must attest that it is complying with the Data Security Standard annually, if it handles credit card data electronically. This involves delivering a package of two or three items:

  1. Self Assessment Questionnaire
  2. Regular network or web site scanning by an Approved Scanning Vendor (may not be required in some cases) and a Report on Compliance by a Qualified Security Assessor (only needed by the very largest companies)
  3. Attestation of Compliance

There are 5 versions of the Attestation of Compliance, just as there are 5 versions of the Self Assessment Questionnaire. If you qualify to use version A of the Questionnaire, use version A of the Attestation, etc.

For more information on how to select the correct Attestation of Compliance for your company, please visit this page:
Attestation of Compliance versions A through D

 

More Info:

Beyond Security

is an Approved Scanning Vendor for the Payment Card Industry

Web Application Testing:

Discover security issues in web apps, web sites, their related equipment and databases