|
|
 |
Frequently Asked Questions |
|
|
|
Commonly provided information about PCI DSS. |
|
Are all Merchants and Service Providers required to comply with the PCI DSS?
Yes. All entities (merchants or service providers) that store, process, or transmit cardholder data must comply with the PCI DSS.
The requirements apply to all acceptance channels including retail (brick-and-mortar), mail/telephone order (MOTO) and eCommerce.
Validation requirements vary depending on the number of transactions an entity processes.
Is this a one time requirement?
No. PCI DSS compliance is an ongoing process. Validation actions vary depending on the actual number of
transactions you process. However, the credit card associations require all merchants to comply with PCI
DSS at all times. There are two main components of validation for level 2 and 3 merchants:
What is the PCI Self-Assessment Questionnaire?
The PCI Self-Assessment Questionnaire is a list of
questions used to assess your compliance with the requirements of the PCI DSS.
The questionnaire includes questions about your policies, procedures, administrative controls,
access controls and physical security measures as they pertain to those systems that store,
process or transmit cardholder data.
What is a Vulnerability Scan?
A vulnerability scan is an automated scan that assesses your network from the Internet to
see if you have any vulnerabilities or gaps that may allow an unauthorized or malicious user to
gain access to your network and potentially compromise cardholder data.
Is there a deadline to be compliant?
Yes. However, these deadlines depend on your merchant level. Your merchant level is determined by the
number and type of payment card transactions you process in a year.
|
Obligations
| Level |
Merchant Levels |
|
Validation Actions |
|
 |
|
|
| Onsite security Assessment |
|
Self-Assessment Questionnaire |
| Network Vulnerability Scans |
|
|
| 1 |
At least 6 million transactions annually from any acceptance channel |
| Submitted to Acquirer Annually |
|
|
|
|
| 2 |
1 million to 6 million transactions annually from any acceptance channel |
|
| Submitted to Acquirer Annually |
|
|
|
|
| 3 |
20k to 1 million ecommerce transactions annually |
|
| Submitted to Acquirer Annually, Required Annually |
|
|
|
| 4 |
Less than 20k ecommerce annually or less than 1 million transactions from any acceptance channel annually |
|
| Required Annually (submission to acquirer not mandatory) |
|
| Required Quarterly (submission to acquirer not mandatory) |
|
|
What if my business does not go through this compliance procedure?
If you do not comply with the security requirements of the card associations, you put your organization at risk of payment card compromise. Chase Paymentech may also pass fines levied by the card associations for non-compliance on to you.
Can our internal staff validate our compliance?
The card associations require that you use an Approved Scanning Vendor to perform the quarterly vulnerability scans. However, your internal staff can complete the Annual PCI Self-Assessment questionnaire.
We don't have time for this. How long will this take?
The length of the process varies. Once non-compliance issues have been identified, the length of time it takes an organization to implement solutions to resolve the issues will affect the length of the PCI DSS compliance process. The length of time also varies depending on the resolution and the complexity of the environment.
For card association updates on data security, visit the Merchant Support Center
|
|
|
| | |
