Skip links

PCI-DSS FREQUENTLY ASKED QUESTIONS

What is a..._

 To whom does PCI apply?

PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.

What is a..._

Where can I find the PCI Data Security Standards (PCI-DSS)?

The Standard can be found on the PCI Security Standards Council’s Website; click here to visit them.

What is a..._

What are the PCI compliance deadlines?

All merchant that stores, processes or transmits cardholder data must be compliant now. However, as a Level 4 merchant, you will have to refer to your merchant bank for their specific validation requirements and deadlines. All deadline enforcement will come from your merchant bank.

What is a..._

What are the PCI compliance ‘levels’ and how are they determined?

All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As (‘DBA’). In cases where a merchant corporation has more than one DBA, Visa acquirers must consider the aggregate volume of transactions stored, processed or transmitted by the corporate entity to determine the validation level. If data is not aggregated, such that the corporate entity does not store, process or transmit cardholder data on behalf of multiple DBAs, acquirers will continue to consider the DBA’s individual transaction volume to determine the validation level.

What is a..._

If I only accept credit cards over the phone, does PCI still apply to me?

Yes. All business that store, process or transmit payment cardholder data must be PCI Compliant.

What is a..._

Do organizations using third-party processors have to be PCI compliant?

Yes. Merely using a third-party company does not exclude a company from PCI compliance. It may cut down on their risk exposure and consequently reduce the effort to validate compliance. However, it does not mean they can ignore PCI.

What is a..._

My business has multiple locations, is each location required to validate PCI Compliance?

If your business locations process under the same Tax ID, then typically you are only required to validate once annually for all locations. And, submit quarterly passing network scans by an PCI SSC Approved Scanning Vendor (ASV), if applicable.

What is a..._

Are debit card transactions in scope for PCI?

In-scope cards include any debit, credit, and pre-paid cards branded with one of the five card association/brand logos that participate in the PCI SSC: ­ American Express, Discover, JCB, MasterCard, and Visa International.

What is a..._

Am I PCI compliant if I have an SSL certificate?

No. SSL certificates do not secure a Web server from malicious attacks or intrusions. High assurance SSL certificates provide the first tier of customer security and reassurance such as the below, but there are other steps to achieve PCI Compliance.

What is a..._

What are the penalties for noncompliance?

The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on downstream till it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can be catastrophic to a small business.

What is a..._

What is defined as ‘cardholder data’?

Cardholder data is any personally identifiable data associated with a cardholder. This could be an account number, expiration date, name, address, social security number, etc. All personally identifiable information associated with the cardholder that is stored, processed, or transmitted is also considered cardholder data.

Ensure your card payments are always secure. Get in touch to find out how we can help.

Contact Us