PCI Compliance FAQs

What is the PCI DSS?

The PCI DSS is a set of comprehensive requirements for enhancing payment account data security. It was developed by the founding payment brands of the PCI Security Standards Council (American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International), to help facilitate the global adoption of consistent data security measures. The PCI DSS includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures intended to proactively protect customer account data.

Are all Businesses and Service Providers required to comply with the PCI DSS?

Yes. All entities (businesses or service providers) that store, process, or transmit cardholder data must comply with the PCI DSS. The requirements apply to all acceptance channels including retail (brick-and-mortar), mail/telephone order (MOTO) and e-commerce. Validation requirements vary depending on Service Provider or Merchant level.

Is this a one time requirement?

No. Validation actions vary depending on Service Provider or Merchant level. However, the credit card associations require all businesses accepting card-based payments to comply with PCI DSS at all times. There are two main components of validation:

  • Completing the PCI Self-Assessment Compliance Questionnaire annually
  • Undergoing Vulnerability Scans performed by an Approved Scanning Vendor quarterly

What if my business does not go through this compliance procedure?

Once you have successfully completed the compliance program, Trustwave will issue you a Certificate of Compliance. Any reporting to your acquirer will be facilitated by TrustKeeper. It is the acquirer’s responsibility to report statuses to the Card Associations.

Can our internal staff validate our compliance?

No. The card associations require that you use an Approved Scanning Vendor to perform the quarterly vulnerability scans. However, your internal staff can complete the Annual PCI Self-Assessment questionnaire.

We don’t have time for this. How long will this take?

The length of the process varies. Once non-compliance issues have been identified, the length of time it takes an organization to implement solutions to resolve the issues will affect the length of the PCI DSS compliance process. The length of time also varies depending on the resolution and the complexity of the environment.

What are the requirements for PCI DSS?

There are 12 requirements that fall into six categories:

  • Build and Maintain a Secure Network: Install and maintain a firewall, and use unique, high-security passwords, with special care to replace default passwords.
  • Protect Cardholder Data: Whenever possible, do not store cardholder data. You must also encrypt any data passed across public networks, including your shopping cart and web-hosting providers.
  • Maintain a Vulnerability Management Program: Use anti-virus and keep it up date. Develop and maintain secure operating systems and payment applications. Ensure the applications your use are compliant (see www.visa.com/pabp).
  • Implement Strong Access Control Measures: Access – both electronic and physical access – to cardholder data should be on a “need-to-know” basis. Ensure those people with access have a unique ID and password. Do not share logon information.
  • Regularly Monitor and Test Networks: Track and monitor all access to networks and cardholder data. Ensure you have a regular testing schedule for security systems and processes: firewalls, patches and anti-virus.
  • Maintain an Information Security Policy: It’s critical that your organization has a resource for how data security is handled at your business. Ensure you have a policy and that it’s disseminated and updated regularly.

How is “cardholder data” defined?

Cardholder data is the full magnetic stripe or the Primary Account Number plus any of the following:

  • Cardholder Name
  • Expiration Date
  • Service Code

The PCI DSS applies to any businesses that store, process, transmit or have access to cardholder data.

TrustKeeper Overview

What is TrustKeeper? TrustKeeper is a state-of-the-art vulnerability assessment and compliance management solution that provides compliance validation tools for the PCI DSS. TrustKeeper offers easy-to-use vulnerability management services to help protect critical business information. In TrustKeeper you have access to:

  • Scanning engine that tests for more than 5,000 vulnerabilities
  • PCI Self-Assessment Questionnaire
  • Detailed compliance status reporting
  • Vulnerability prioritization
  • Remediation services to address security vulnerabilities and achieve compliance more quickly
  • Comprehensive online support resources
  • Multi-lingual help desk support

PCI Compliance FAQs