What is PCI?

Any company with a Merchant ID (MID) that processes, stores or transmits credit card information must adhere to and comply with the PCI Data Security Standard (PCI DSS), created and updated annually by the PCI Security Council. Introduced on September 7, 2006, the Payment Card Industry Security Standards Council (PCI SSC) provides an actionable framework for developing a robust payment card data security process — including prevention, detection, and appropriate reaction to security incidents. The PCI DSS is administered and managed by the PCI SSC , which is independent of the major payment card brands (Visa, MasterCard, American Express, Discover and JCB). Card brands and acquirers are responsible for enforcing compliance, not the PCI Council.

To whom does PCI apply?

PCI applies to any business that accepts, transmits or stores any cardholder data.

Where can I find the PCI Data Security Standards (PCI DSS)?

There are four levels of PCI compliance as determined by Visa and MasterCard. These levels are based on the transaction volume (including credit, debit, and prepaid) over a 12-month period. Merchants that have been affected by a security breach which resulted in compromised card data may be escalated to the next level.

Merchant Level Description

There are four levels of PCI compliance as determined by Visa and MasterCard. These levels are based on the transaction volume (including credit, debit, and prepaid) over a 12-month period. Merchants that have been affected by a security breach which resulted in compromised card data may be escalated to the next level.

  1. Any merchant processing over $6M Visa and/or MasterCard transactions per year.
  2. Any merchant processing $1M to $6M Visa and/or MasterCard transactions per year.
  3. Any merchant processing $20,000 to $1M Visa and/or e-commerce transactions per year.
  4. Any merchant processing less than $20,000 Visa and/or MasterCard e-commerce transactions per year, and all other merchants processing up to $1M Visa and/or MasterCard transactions per year.

If I only accept credit cards over the phone, does PCI still apply to me?

Yes. All business that process, transmit or store credit card data must be PCI compliant.

If VitaPay is PCI compliant, do I still need to be?

Yes. Using VitaPay does not exclude your company from PCI compliance. It may reduce your risk exposure, and consequently reduce the effort to validate compliance, but it does not remove you from responsibility.

My business has multiple locations; is each location required to validate PCI compliance?

Best practices would be to certify each merchant ID (MID) number individually. Some businesses choose to certify by multiple MID numbers under one entity. However, if multiple locations are certified under one entity and a compromise were to occur, all MID numbers are subject to forensic investigation, versus only the identified MID.

Are debit card transactions in scope for PCI?

Any debit, credit, and pre-paid cards branded with one of the five card association/brand logos that participate in the PCI SSC — American Express, Discover, JCB, MasterCard, and Visa International — are within scope.

Am I PCI compliant if I have an SSL certificate?

No. An SSL certificate is just one piece of the puzzle to becoming PCI compliant. You must establish strong encryption of the cardholder’s data during transmission over open, public networks. In addition, you need to validate that the website operators are a legitimate, legal organization.

What are the penalties for noncompliance?

An acquiring bank may be fined by the card brands anywhere from $5,000 to $100,000 per month for PCI compliance violations. These fines are passed downstream to the merchant. In addition, your account is subject to many additional costs including lawsuits from cardholders and issuing banks, the reissuance of cards, brand damage and a required forensic investigation. Penalties are not openly discussed nor widely publicized, but they can be catastrophic to a small business. It is important to be familiar with your merchant account agreement, which should outline your exposure.

What is defined as ‘cardholder data’?

The PCI Security Standards Council (SSC) defines ‘cardholder data’ as the full Primary Account Number (PAN) or the full PAN along with any of the following elements:

  • Cardholder name
  • Expiration date
  • Service code
  • Sensitive Authentication Data which includes full magnetic stripe data, CAV2, CVC2, CVV2, CID, PINs, PIN blocks and more

What is the definition of merchant?

With regards to PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five major card brands (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. A merchant can also be a service provider, if the services sold result in storing, processing or transmitting cardholder data on behalf of other merchants or service providers.

What constitutes a service provider?

The PCI DSS considers any company that stores, processes or transmits cardholder data on behalf of another entity to be a service provider.

What constitutes a payment application?

A payment application is anything that stores, processes or transmits card data electronically. Anything from a POS System to an e-commerce shopping cart that incorporate software to handle credit card data are all classified as payment applications.

What is a payment gateway?

Payment Gateways connect a merchant to the bank or processor that is acting as the front-end connection to the card brands. Gateways route many inputs from a variety of different applications to the appropriate bank or processor. They communicate with the bank or processor using dial-up, Web-based or privately held connections.

How is IP-based POS environment defined?

The point-of-sale (POS) environment refers to a transaction that takes place at a merchant location (i.e., retail store, restaurant, hotel, gas station, convenience store, etc.). An Internet protocol (IP)-based POS is when transactions are stored, processed or transmitted on IP-based systems or systems communicating via TCP/IP.

What is PA-DSS?

Payment Application Data Security Standard (PA-DSS) is upheld by the PCI Security Standards Council (SSC) to address the critical issue of payment application security. The requirements are designed to ensure that vendors provide products to help merchants maintain PCI DSS compliance and eliminate the storage of sensitive cardholder data.

The PCI SSC administers the program to validate payment applications’ compliance against the PA-DSS, and publishes and maintains a list of PA-DSS validated applications. See https://www.pcisecuritystandards.org/security_standards/pa_dss.shtml for more information.

Can the full credit card number be printed on the consumer’s copy of the receipt?

According to PCI DSS requirement 3.3, the first six and last four digits are the maximum number of digits that can be displayed. Any paper receipts stored by merchants must adhere to the PCI DSS, especially regarding physical security.