PCI FAQ

PCI DSS stands for Payment Card Industry Data Security Standard. This is a security standard that is in place for all businesses and organisations that handle cardholder information. It is designed to ensure that all merchants process, transmit and store card details in a secure environment. The aim is the reduction of credit card fraud that is so frequently caused through data exposure.

The first version of PCI DSS was released in 2004, when MasterCard, Visa, American Express, Discover and JCB aligned their individual security policies to create the Payment Card Industry Data Security Standard. Since then, PCI DSS has been updated regularly, with the most recent version, 3.1, released in April 2015.

You can find the PCI DSS website by heading to the following link - www.pcisecuritystandards.org
Do your customers ever pay for your products or services via debit or credit card? If so, then yes, you do need to be concerned with PCI, even if you only accept credit cards over the phone. PCI is relevant to any merchant or organisation that handles cardholder data, including the acceptance, transmission and storage of such data. A lot of business owners mistakenly believe that PCI does not apply to small companies, yet this is not the case. It doesn’t matter how many type of cards you accept or how frequently you engage in these types of transactions, PCI is a must.
Sensitive Authentication Data must be protected. This includes PINs, CVV2 and full magnetic stripe data and more. Aside from this the full Primary Account Number and the service code, expiration date and cardholder data counts as cardholder data.
The most recent PCI DSS requirements are separated into six general principles, with each principle featuring a minimum of one requirement. At present, there are 12 requirements that need to be followed. We have outlined them briefly below:

Build and maintain a secure network
  1. You must protect cardholder data through the installation and maintenance of a firewall configuration.
  2. You should not utilise vendor-supplier defaults for security parameters, such as system passwords.

  3. Protect cardholder data
  4. Stored cardholder data must be protected.
  5. The transmission of cardholder data across public and open networks must be encrypted.

  6. Uphold a vulnerability management program
  7. You must utilise antivirus software and this needs to be updated frequently.
  8. Secure applications and systems must be developed and maintained.

  9. Put strong access control measures in place
  10. Business need-to-know needs to be used to ensure access to cardholder data is restricted.
  11. Every individual with computer access needs to be assigned a unique ID.
  12. Physical access to cardholder data should be restricted.

  13. Monitor and test networks on a frequent basis
  14. Access to cardholder data and network resources must be tracked and monitored.
  15. Security processes and systems must be tested regularly.

  16. Maintain an information security policy
  17. You must maintain a policy that addresses information security.
Unfortunately not, it is all mandatory. If you transmit, process or store cardholder data, you need to comply with all of the PCI standards.
You are likely to face large fines, brand damage, costly audits, and card replacement costs, which can be difficult for any business to come back from. PCI is not a law, yet it is implemented by major card brands.
There is no official publication regarding penalties. However, the acquiring bank is fined and then this is passed onto the offending merchant, with fines believed to range from £3,000 to around £65,000. Not only this, but your transaction fees will increase if you still manage to hold onto your relationship with the bank, as the bank may terminate your contract.
This depends on your business and your Merchant Level (see below). Retail Secure offer a solution to help all retailers and merchants achieve compliance. We can give you a free no-obligation quote.
PCI has been designed to ensure that customers are protected from the likes of fraud and identity theft, which is rife at the moment.
Yes. Firstly, you need to make sure that the third-party processor you are utilising is PCI compliant. Secondly, you need to be compliant yourself, as you will still be handling card data at some point, i.e. when you accept the payment or when you process a return.
PCI DSS relates to all types of cards, including credit cards, debit cards and pre-paid cards, from the five main card brands that set up the industry standard – Visa, MasterCard, JCB American Express and Discovery.
As a small-medium business owner, it is your responsibility to first decipher what Self Assessment Questionnaire (SAQ) is applicable to your business. There are various different questionnaires to choose from, and if you are unsure regarding what applies to your company, don’t panic, as Retail Secure helps all clients to fill out the SAQ. Once you have determined which SAQ you need, you then need to fill it out in accordance with the instructions. After this, you should complete the relevant Attestation of Compliance and submit the SAQ and Attestation of Compliance. You may be asked to submit some extra documentation as well in some cases. Moreover, some merchants are required to complete a vulnerability scan, after which they need to supply PCI with evidence of this. You must ensure that this scan is completed with a PCI SSC Approved Scanning Vendor.
Yes. But, if you are unsure, it is advisable to seek outside assistance, which is what Retail Secure is here for.
The PCI DSS outlines four merchant levels, and you will fall into one of these categories. The levels are determined based on the volume of Visa transactions over a year. Merchant Level 1 is for any merchant that processes in excess of six million Visa transactions per annum. Merchant Level 2 is for anyone that process between one million and six million Visa transactions per annum. Merchant Level 3 applies to those that process between 20,000 and one million Visa e-commerce transactions per year. Finally, Merchant Level 4 is for any merchant that processes less than 20,000 Visa e-commerce transactions per annum as well as all other merchants that process up to one million Visa transactions per year.

So, let’s break this down in a simpler manner…
  • Do you process more than 6m Visa transactions, across any channel, per year? If so, you fall into the Merchant Level 1 category.
  • Do you process between 1m – 6m Visa transactions, across any channel, per year? If so, you fall into the Merchant Level 2 category.
  • Do you process less than 1m Visa transactions, across any channel, per year? If so, you fall into the Merchant Level 4 category.
  • Do you process between 20,000 – 1m Visa transactions, e-commerce only, per year? If so, you fall into the Merchant Level 3 category.
  • Do your process fewer than 20,000 Visa transactions, e-commerce, only per year? If so, you fall into the Merchant Level 4 category.
In most cases, you only need to validate PCI compliance once if your business locations process under the same tax ID.
This is dependant upon the Self Assessment Questionnaire you qualify for. Retail Secure can help you to complete your SAQ, so we will inform you whether you need a vulnerability scan. This is software that looks for vulnerabilities in your system and is required once per quarter for those that are applicable.
The first thing you should do is reach out to the organisation or merchant that is failing to be compliant. There is a high chance that they may not be aware of their actions and the implications, so it’s always a good idea to give them the chance to put the situation right themselves. You can show them the information provided on this website and you can put them in touch with Retail Secure so that they can start taking the steps needed to protect their cardholder data.

What if the merchant or organisation still fails to comply? In this case, you will need to take action, as the individual in question is knowingly breaching the rules of PCI and making no effort to put this right. There are two approaches you can take. The first is to report the violation directly to the credit card processor the company uses. However, if you don’t know what this is, go directly to the credit card brands, such as MasterCard and Visa.

There are severe fines in place for those who do not comply with PCI DSS. If a data breach occurs, the financial damage increases, as fines from credit card companies and banks arise too.

Want to achieve compliance easily?

We've got the solution