FAQs on Data Security & PCI Compliance
Frequently asked questions about PCI DSS compliance
What is the PCI Council, and what is its role?
According to the Council’s official website at pcisecuritystandards.org: The PCI Security Standards Council is an open global forum, launched in 2006, that is responsible for the development, management, education and awareness of the PCI Security Standards, including the Data Security Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS) and PIN Transaction Security (PTS) Requirements.
What exactly is PCI DSS compliance?
The acronym stands for “Payment Card Industry Data Security Standard” which sounds like what it is – a set of requirements mandated by the payment card industry that all merchants who process credit card payments are required to comply with.
Who does PCI compliance apply to?
Any merchant who accepts and processes credit or debit card payments.
Wait. Any merchant? We’re just a small mom-and-pop shop!
Yes, any merchant who processes credit card payment transactions must be PCI compliant. You are just as liable for a data breach as a large retailer would be, regardless of how many credit card payment transactions you handle.
If I don’t store credit card data, does PCI apply to me?
Yes, it does. If you own the merchant ID, then you should assume that you are responsible for maintaining PCI compliance. While you may not store credit card data, you still perform credit card transactions. The credit card data “in flight” is as important to protect and secure, and so you must assure there is no leakage of data through unsecured networks, especially in a world where Wi-Fi devices make accidental and intentional breaches easy.
It is also important to make sure that you are protected from the inside. This is one reason why PCI compliance is about complete store security, not just isolating credit card transactions.
Do debit card transactions fall under the scope of PCI compliance?
Yes. Any debit, credit or prepaid cards that are imprinted with the logo of any of the PCI SSC partners (Visa, MasterCard, Discover, American Express or JCB International) fall under the scope of PCI compliance.
What are examples of fines related to PCI compliance?
While the amounts and severity of fines related to PCI compliance change often, you can expect to pay heavy fines if you suffer a breach and are not compliant in some cases, up to $500,000. You may also incur fines simply for accepting credit card payments without being PCI compliant. Fines are likely to grow steeper as regulations continue to get tougher.
What happens if you’re not compliant? What’s the risk associated with non-compliance?
Businesses committing compliance violations can expect to receive industry fines and fines from their Issuing banks or from credit card processors in the form of increased transaction fees. In addition to fines, businesses that are breached and not PCI compliant face hefty expenses like customer card replacement costs, forensic audit costs, and the costs of rebuilding their image. The effects of non-compliance and a breach can affect a company for years afterwards because of the extreme toll these factors take on a company’s bank account and credibility. Customers are becoming more aware of PCI compliance standards and see compliance as a symbol of security and professionalism in the business world.
When is the deadline for PCI compliance?
All applicable merchants are expected to be in compliance now. Continuous compliance is the requirement now according to PCI DSS 3.1, and not voluntary.
What happens if I’m breached?
Put simply, there’s a lot of money at stake, from industry fines to the permanent damage of your company brand in the event of a data breach. A merchant that is breached pays on average $50 to $90 per cardholder whose data has been compromised. In addition to heavy industry fines, state governments are getting involved, too. Texas, Minnesota and California were all early movers in developing legislation to shift liability to the merchant. If you do business in any state with related legislation, PCI compliance is not just an industry mandate; it is increasingly a state law in some jurisdictions. Fines and repercussions in such states will generally be more severe in the event of a breach. A more serious repercussion is the probability of your business not surviving this loss.
What can happen to my customers if a data breach occurs in my business?
As far as your customers’ risk, consider the following: consumer identities can be illegally bought online for as little as $14 – including credit card numbers, social security numbers, date of birth and more. A carefully built credit history can be ruined in a matter of hours, bank accounts wiped out and more. It can literally take years for consumers to deal with a stolen identity incident. By following PCI DSS compliance standards you reduce this risk for your customers and present your company as responsible and reliable.
Isn’t my technology provider liable for such breaches?
No, the burden of liability falls squarely on the merchant. It is the merchant’s responsibility to secure the technologies they directly and indirectly use to handle customer payment transactions.
Why are some retailers under the impression that PCI compliance is covered by their technology providers or credit card processors? I’m getting mixed information.
There are too many moving parts between deadlines, devices, and communication infrastructure. Some retailers may mistakenly believe someone else is responsible or are confused about liability and handoff issues with their credit processors. But if a breach of cardholder data occurs, it is the retailer who is liable. The retailer would have to prove the breach did not occur at its location or corporate office, which would be difficult for a retailer to do if the organization is not PCI compliant.
Do states have laws that require data breach notifications to the affected parties?
Yes. The majority of states require these notifications. For more information, visit www.privacyrights.org.
What are charge backs, and when are they filed?
The Electronic Funds Transfer Act guarantees consumers the right to reverse any credit charges that they deem incorrect or unfair. If a consumer notices a suspicious charge on their credit or debit card, they may tell the bank to issue a charge back. The bank then returns the funds to the consumer and removes them from the merchant who initiated the transaction.
What is an SAQ?
SAQ stands for Self Assessment Questionnaire. From the Council’s official website at pcisecuritystandards.org: “The PCI DSS SAQ is a validation tool for merchants and service providers that are not required to undergo an on-site data security assessment per the PCI DSS Security Assessment Procedures. The purpose of the SAQ is to assist organizations in self-evaluating compliance with the PCI DSS […] Each SAQ includes a series of yes-or-no questions about your security posture and practices.”
While the SAQ is considered a self-assessment tool, many businesses find the 411+-question document under PCI DSS 3.1 too complicated to undertake on their own. It’s common for a business to reach out to an outside partner, like Omega, for assistance in completing its SAQ.
To learn more about the SAQ, visit https://www.pcisecuritystandards.org/merchants/self_assessment_form.php.
What is defined as “cardholder data”?
As defined by the PCI Security Standards Council, at a minimum cardholder data consists of the full PAN. Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code. See Sensitive Authentication Data for additional data elements that may be transmitted or processed (but not stored) as part of a payment transaction.
What is a network security scan?
Typically, a network security scan utilizes an automated tool that remotely reviews a merchant or service provider’s systems for vulnerabilities. Hackers could use these vulnerabilities to gain unauthorized access to the merchant’s internal network, including sensitive files containing valuable data.
How often do I have to scan?
To remain PCI compliant, you must submit a passing scan once every quarter (every 90 days).
Do I need vulnerability scanning to validate compliance?
Yes. This is a mandate for PCI 3.1. The PCI Security Scanning requirement states that merchants and service providers must have any IT infrastructures with Internet-facing IP addresses scanned. Both internal vulnerability scanning and external vulnerability scanning are requirements for PCI 3.1
What do you mean by internal vulnerability scanning? Why is it needed?
Internal Vulnerability Scanning (IVS) is a requirement of PCI DSS version 3.1 so an operation’s entire IT network can be scanned for any type of threat. A small scanning device is required to do IVS. It allows the scanning of a network to be able to view it from behind the corporate perimeter firewall. Once installed, the IVS scans a defined list of IP addresses that correspond to servers, file sharing systems, mail relays, employee PCs, etc. to identify any vulnerabilities based on current threats. Quarterly internal vulnerability scanning is necessary to meet PCI DSS requirements. Reports of the last 3 passed scans are required to show proof of continuous compliance.
Use of Omega’s Appliance is the swiftest and easiest way to do internal vulnerability scanning without disrupting or slowing down business. It can be done at any time of day or night at several locations at once. It does not slow down or affect network activities.
back to top
What do you mean by external vulnerability scanning? Why is it needed?
External scanning is done on external facing IPs to detect security vulnerabilities, potential data leaks, unauthorized access attempts, and unknown software installs. No equipment is required for this but quarterly scans are mandatory.
Do I need both external and internal vulnerability scanning?
External and internal vulnerability scans are a requirement per PCI DSS version 3.1. They need to be done every quarter. Reports of logs need to be available for a period of 365 days to maintain PCI compliance. PCI requires the use of vulnerability scanning, located in requirement 11.2 of the PCI DSS 3.1. It also requires these scans to be conducted by an Approved Scanning Vendor (ASV).
What is Wireless Intrusion Prevention Solution (WIPS)?
WIPS is necessary to comply with the PCI DSS standards. Businesses are required to regularly test and monitor their network and access points. A small device called a Wireless Intrusion Prevention (WIP) sensor is hosted at the site in the vicinity of the access points likely to face threats from hackers. The sensors are capable of detecting, blocking and locating any unauthorized device attempting to connect to the site’s network.