PCI-DSS FREQUENTLY ASKED QUESTIONS

To whom does PCI apply?

PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.

Where can I find the PCI Data Security Standards (PCI-DSS)?

The Standard can be found on the PCI Security Standards Council’s Website; click here to visit them.

What are the PCI compliance deadlines?

All merchant that stores, processes or transmits cardholder data must be compliant now. However, as a Level 4 merchant, you will have to refer to your merchant bank for their specific validation requirements and deadlines. All deadline enforcement will come from your merchant bank.

What are the PCI compliance ‘levels’ and how are they determined?

All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As (‘DBA’). In cases where a merchant corporation has more than one DBA, Visa acquirers must consider the aggregate volume of transactions stored, processed or transmitted by the corporate entity to determine the validation level. If data is not aggregated, such that the corporate entity does not store, process or transmit cardholder data on behalf of multiple DBAs, acquirers will continue to consider the DBA’s individual transaction volume to determine the validation level.

My business has multiple locations, is each location required to validate PCI Compliance?

If your business locations process under the same Tax ID, then typically you are only required to validate once annually for all locations. And, submit quarterly passing network scans by an PCI SSC Approved Scanning Vendor (ASV), if applicable.

Are debit card transactions in scope for PCI?

In-scope cards include any debit, credit, and pre-paid cards branded with one of the five card association/brand logos that participate in the PCI SSC: ­ American Express, Discover, JCB, MasterCard, and Visa International.

Am I PCI compliant if I have an SSL certificate?

No. SSL certificates do not secure a Web server from malicious attacks or intrusions. High assurance SSL certificates provide the first tier of customer security and reassurance such as the below, but there are other steps to achieve PCI Compliance.

What are the penalties for noncompliance?

The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on downstream till it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can be catastrophic to a small business.

What is defined as ‘cardholder data’?

Cardholder data is any personally identifiable data associated with a cardholder. This could be an account number, expiration date, name, address, social security number, etc. All personally identifiable information associated with the cardholder that is stored, processed, or transmitted is also considered cardholder data.

Ensure your card payments are always secure.
Get in touch to find out how we can help.

Contact us
silver-lining-logo
© Silver Lining Convergence Ltd
Registered Company Number: 06212357
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram