What is PCI Compliance?

The Payment Card Industry (PCI) Data Security Standard (PCI DSS) applies to organizations of any size that choose to accept credit card payments. PCI DSS is a data security standard. PCI Compliance is based on the PCI DSS standard. It is a set of 12 specific requirements that cover six different industry goals.

Validation of compliance is performed annually, either by an external Qualified Security Assessor (QSA) or by a firm specific Internal Security Assessor (ISA) that creates a Report on Compliance for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.

With over 30 million companies subject to PCI compliance through their contracts with payment card brands, banks, and payment service providers, the Payment Card Industry’s Data Security Standard is by far the world’s furthest reaching cybersecurity obligation.

The complexity and scope of PCI DSS compliance has resulted in a situation where 80% of organizations fail to maintain compliance after their audit. Even the lack of a continual compliance management and monitoring process is grounds for a non-compliant finding. To-date, Verizon - one of the largest PCI auditors - has never encountered a customer that could demonstrate compliance at the time of a data breach.

Complyify simplifies PCI Compliance

Complyify eases your PCI DSS compliance burden, always up-to-date with the latest requirements and guidance, prompting you to address gaps, directing your teams to perform the recurring compliance obligations, and continually watching your back for gaps that would leave your business exposed.

Discover if you’re subject to PCI DSS and the scope of your compliance obligations by signing up — no credit card required.

The PCI-DSS Compliance Self Assessment Questionnaire (SAQ)

There are two components to the Self-Assessment Questionnaire:
1) A set of questions corresponding to the PCI Data Security Standard requirements designed for service providers and merchants.
2) An Attestation of Compliance or certification that you are eligible to perform and have performed the appropriate Self-Assessment.
Self Assessment Questionairre How do you Accept Payment Cards
A

Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Not applicable to face-to-face channels.

A-EP

E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Applicable only to e-commerce channels.

B

Merchants using only:
* Imprint machines with no electronic cardholder data storage; and/or
* Standalone, dial-out terminals with no electronic cardholder data storage. Not applicable to e-commerce channels.

B-IP

Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. Not applicable to e-commerce channels.

C-VT

Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage. Not applicable to e-commerce channels.

C

Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. Not applicable to e-commerce channels.

P2PE-HW

Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage. Not applicable to e-commerce channels.

D

For Merchants: All merchants not included in descriptions for the above types.

D

For Service Providers: All service providers defined by a payment card brand as eligible to complete a Self-Assessment Questionnaire.



Frequently asked questions about PCI DSS compliance

Who is required to comply with PCI DSS?
PCI DSS is a contractual obligation enforced by the banks and payment providers on all merchants — organizations that accept credit/debit/gift cards for payments. It also applies to any service provider that may handle payment card information in the course of providing services to merchants or whos services may impact the security of the merchant. Examples of service providers include: cloud services, managed IT services, payment services, and point-of-sale system operators.

In addition to these contractual requirements, several jurisdictions—including 2 US states (Minnesota and Nevada)—have also made PCI DSS a regulatory obligation.

What happens if I am not PCI DSS compliant?
Failure to maintain PCI DSS compliance results in several consequences, from monthly non-compliance fines ranging from $5,000 to $100,000 USD per month, termination of your ability to accept payment cards, or inability to continue providing services to customers that handle payment card information. Organizations must also maintain compliance continually, throughout the year. Demonstrating compliance at the time of an annual audit is insufficient to protect your organization. Failure to be 100% in-compliance at the time of a data breach means your organization will be liable for all fraud, losses, and expenses incurred as a result of the data breach. You also put at risk your ability to leverage any data breach insurance you may have. insurers will deny out-of-compliance related losses; a practice which has been affirmed by US appellate courts.

Does compliance with PCI make an organization secure?
Security is a continuous process and nothing can ever by 100% breach-proof. Cybersecurity compliance—including the PCI DSS standard—is more about enabling businesses to manage risk effectively. PCI DSS provides safe harbor for organizations that can maintain continuous compliance with the standard. If you are breached while in compliance with the PCI DSS, the payment brands will not levy any fines or penalties and you have a defensible position with your insurance carriers and customers.

How hard is PCI DSS compliance to implement and maintain?
Validating your compliance with the PCI DSS differs depending upon the nature of your interactions with payment card data. A small one-store merchant that only uses a single stand-alone credit card machine has only a couple of obligations. A larger multi-store retail chain will have substantially more to consider if they have networked their POS systems, whereas companies that accept credit cards online (eCommerce) will have a multitide of objectives they have to meet and maintain to protect against given their increased exposure to digital theft.

Do I need to be PCI DSS compliant if I'm using Stripe / Recurly / Braintree / PayPal?
Yes. If you accept credit cards for payment you must be PCI DSS compliant — even using outsourced payment services. Depending on the specific services you use from payment service providers, you may be able to significantly reduce the scope of your compliance burden, but it comes at a cost. Payment providers often emphasize their ability to reduce your compliance burden but their marketing usually glosses over that minimizing the scope of your compliance obligations requires that you send your customers to the payment service provider to checkout.

For example, if your customers use PayPal's own checkout page—which PayPal sends to the customer directly, not through any of your servers or hosted services—then your compliance burden is reduced. However, if customers checkout in your app or using software you operate, or if you use PayPal's APIs directly, or touch credit card information in any other manner (e.g., phone orders) then you have a substantially large compliance obligation.
What are my obligations under the PCI DSS?
There are several "scopes" of compliance under the PCI DSS standard — collections of controls that are relevant to your organization depending on how many payment card numbers you interact with and the manner in which you interact with them. Scoping your compliance obligations is one of the core concerns with PCI DSS compliance and one of the burdens that Complyify resolves for you.

How much scrutiny you will face from auditors is primarily a factor of the volume of payment card information you handle. Very small merchants may only have to file a simple form once-a-year with their bank, while mid-sized eCommerce and retail operations may have to endure a 3rd party outside audit annually. Small businesses that have encoutered a data breach are also forced to endure outside audits for several years to retain the ability to accept payment cards.

As Complyify's Compliance Engine learns about your business and operations, we narrow the scope of your PCI DSS obligations for you so your team can focus on just the necessary parts of compliance. And you and your auditor can customize the Compliance Engine to suit any unique compliance objectives your business may have.