PCI FAQ

Q- What is Payment Card Industry (PCI) Compliance?
Payment Card Industry (PCI) Compliance is a set of security standards that were created by the major credit card companies (American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International) to protect customers from increasing identity theft and security breaches.

Q- Who needs to become compliant?
Any company that accepts, processes, transmits or stores credit card information needs to comply with the standards set by the Payment Card Industry.

Q- What are my requirements for PCI Compliance?
The requirements for becoming Payment Card Industry (PCI) Compliant are dependent upon the merchant or service provider level that a company falls under. Merchants are divided into four different levels based on the number of transactions per card brand they process throughout a year.

Q - How do I register compliance?
Once you have passing PCI Scan and completed the Annual Self Assessment Questionnaire you should turned the information into your acquiring bank. Your merchant bank will then report back to the Payment Card Industry that your company is PCI Compliant.

Q- What happens if I am not compliant?
Failure to comply with the Payment Card Industry security standards may result in heavy fines, restrictions or permanent expulsion from card acceptance programs.

Level 1 Criteria
Merchants with over 6 million transactions a year on any one card
Merchants whose data has been compromised

Level 1 Requirements
Annual Onsite Security Audit and quarterly network security scan & manual pen test

Level 2 Criteria
Merchants with 150,000 to 6 million transactions a year on any one card

Level 2 Requirements
Annual Self Assessment Questionnaire
Quarterly Scan by an Approved PCI Scanning Vendor

Level 3 Criteria
Merchants with 20,000 to 150,000 transactions a year

Level 3 Requirements
Quarterly Scan by an Approved PCI Scanning Vendor
Annual Self Assessment Questionnaire

Level 4 Criteria
Merchants with less than 20,000 transactions

Level 4 Requirements
Need to report compliance but must maintain compliance.

Q-What kind of scans need to be performed?
Vulnerability Assessment Scans must be performed by Payment Card Industry Approved Scanning Vendors (ASV). The scan will be performed over all externally facing IP addresses that touch the credit card acceptance, transmission and storage process. Scans must be turned into the merchant bank on a quarterly basis. ProCheckUp are an ASV and can carry out all scans needed to become PCI compliant.

Q-How long does it take to be PCI compliant?

Becoming compliant can take as little as 1 day or can take years.  Time frames can depend on the level of the merchant and logistics involved.

What is ASV/QSA/SAQ?

ASV is a Payment Card Industry Approved Scanning Vendors who can scan the merchant's externally-facing payment card network.  They then produce a report that is submitted to the acquiring bank as proof of compliance.

QSA stands for Qualified Security Assessor. It is an experienced security consultant who can conduct the On-Site Data Security Assessment for PCI DSS Compliance. QSA's are required to recertify every year by attending training by PCI and passing the exam.

SAQ is the self assessment questionnaire that level 3 & 4 merchants are required to complete in order to register compliance.

https://www.pcisecuritystandards.org/

What is PA DSS? Do you do PA DSS?

PA-DSS is the PCI DSS Security Council-managed program formerly under the supervision of the Visa Inc. program known as the Payment Application Best Practices (PABP). The goal of PA-DSS is to help software vendors and others develop secure payment applications that do not store prohibited data.

Do you provide proof of compliance & can we use it as a marketing tool?

ProCheckUp will provide you with a report to be submitted to your acquiring bank as proof of compliance with scanning requirements of PCI DSS.  In addition we will provide you with a certificate that can be used for marketing purposes and to reassure customers.

 

Need Help?

If you have any questions about cyber security or would like a free consultation, don't hesitate to give us a call!

+44 (0) 20 7612 7777

Our Services

Keep up to date!


ACCREDITATIONS