PCI DSS Compliance FAQ

Any organization that stores, processes, or transmits cardholder data must comply with PCI DSS regardless of size or transaction volume. This includes merchants, payment processors, acquiring banks, issuing banks, and service providers. Even if you use a third-party processor, you still have PCI DSS obligations.

The 12 requirements cover: installing firewalls, changing vendor defaults, protecting stored cardholder data, encrypting data in transit, using antivirus, developing secure systems, restricting data access, assigning unique IDs, restricting physical access, tracking and monitoring access, testing security systems regularly, and maintaining an information security policy.

There are four merchant levels based on annual transaction volume. Level 1: over 6 million transactions (requires annual on-site audit by QSA). Level 2: 1-6 million transactions. Level 3: 20,000-1 million e-commerce transactions. Level 4: fewer than 20,000 e-commerce or up to 1 million other transactions. Levels 2-4 may self-assess.

An SAQ is a validation tool for merchants and service providers who are not required to undergo a full on-site assessment. There are multiple SAQ types (A, A-EP, B, B-IP, C, C-VT, D, P2PE) based on how you process card payments. Each type contains a different subset of PCI DSS requirements relevant to your payment processing method.

A QSA is a security professional certified by the PCI Security Standards Council to validate an organization's PCI DSS compliance. QSAs conduct on-site assessments for Level 1 merchants and produce a Report on Compliance (ROC). Only organizations listed on the PCI SSC website are authorized to perform QSA assessments.

Non-compliance penalties include fines ranging from $5,000 to $100,000 per month imposed by payment card brands through your acquiring bank. Additional consequences include increased transaction fees, liability for fraud losses, loss of the ability to accept card payments, and reputational damage following a data breach.

PCI DSS 4.0, released in March 2022, introduces a customized approach allowing organizations to meet security objectives through alternative methods. Key changes include expanded multi-factor authentication requirements, enhanced password standards, new e-commerce security requirements, and a greater focus on continuous security processes rather than point-in-time compliance.

Scope reduction strategies include network segmentation to isolate cardholder data environments, using tokenization to replace card data with non-sensitive tokens, implementing point-to-point encryption (P2PE), outsourcing payment processing to PCI-compliant third parties, and using hosted payment pages to keep card data off your servers entirely.

Cardholder data includes the primary account number (PAN), cardholder name, expiration date, and service code. It can be found in databases, log files, backup tapes, email, spreadsheets, paper documents, and even in memory. A thorough data discovery exercise is essential for identifying all locations where cardholder data exists.

PCI DSS compliance must be validated annually through either an on-site assessment by a QSA or completion of the appropriate SAQ. Additionally, quarterly network vulnerability scans by an Approved Scanning Vendor (ASV) are required. Some requirements like log reviews and access reviews have daily, weekly, or monthly frequencies.

You can store certain cardholder data elements if properly protected according to PCI DSS requirements, but you must never store sensitive authentication data (full magnetic stripe, CVV/CVC codes, or PIN data) after authorization. The best practice is to avoid storing cardholder data whenever possible through tokenization or outsourcing.

Network segmentation isolates systems that store, process, or transmit cardholder data from the rest of your network. While not explicitly required by PCI DSS, segmentation significantly reduces the scope of your compliance assessment, lowers the cost and effort of maintaining compliance, and limits the potential impact of a breach.

Yes, PCI DSS applies to e-commerce websites that accept card payments. Even if you use a hosted payment page or redirect to a payment processor, your website still has PCI DSS obligations. The SAQ type and compliance requirements depend on how your e-commerce site handles the payment process.

An ASV is a company approved by the PCI SSC to conduct external vulnerability scans of internet-facing environments. Quarterly ASV scans are required for all merchants and service providers. The scans must result in a passing status with no vulnerabilities rated 4.0 or higher on the CVSS scale.