Frequently Asked Questions (FAQ)
PCI DSS FAQs
1. Do businesses using third-party processors have to be PCI DCC compliant?
Nollysoft is the app, helping you manage your bank account on-the-go, track your expenses and set aside money in real-time. Open yours in minutes right from your smartphone, and start spending before your physical card arrives.
2. What are the consequences to an organization if it does not comply with the PCI DSS?
The PCI Security Standards Council encourages all organizations that store payment account data to comply with the PCI DSS to help minimize financial risks associated with account payment data compromises. The PCI Security Standards Council empowers acquirers to determine the appropriate consequence for noncompliance. However, individual payment brands (for example, Visa, Mastercard) may have their compliance initiatives, including operational or financial consequences to businesses that are not compliant.
3. How to comply with the PCI DSS?
Complying with the mandates includes meeting the 12 requirements in the standard, working with the acquiring bank, and using the tools offered through the council. PCI DSS compliance is an ongoing process and not a one-time event. An organization must continuously assess operations, fix any identified vulnerabilities, and produce the required reports to the acquiring bank and card brands it has a business relationship with.
4. Do small businesses need to worry about a breach?
Any business that accepts customers’ debit and credit cards for payment are responsible for securing the sensitive data corresponding to the payment method and the processes followed during its verification and approval throughout and after transaction processing. Under PCI DSS compliance standards, sensitive data refers to the 16-digit account number or the account number with the customer’s name, expiration date, service code, and other security codes. The PCI DSS distinguishes which compliance standards merchants must follow based on the number of debit and credit card transactions they process in a year and the payment brands they accept.
5. Is a business PCI compliant if they have an SSL certificate?
No. SSL certificates do not secure a web server from malicious attacks. High assurance SSL certificates offer the first tier of customer security and reassurance, but there are other steps to achieve PCI compliance, including:
- Validation that the website operators are a legitimate and legally accountable organization.
- A secure connection between the customer’s browser and the webserver
6. Does PCI DSS make organizations store cardholder data?
Both PCI DSS and the payment card brands strongly discourage cardholder data storage by processors and merchants. There is no requirement, nor is it allowed to store data from the magnetic stripe on the back of a payment card or equivalent data from a chip. Suppose processors or merchants have a business reason to store card data such as cardholder name and primary account number (PAN). In that case, PCI DSS requires the data secured and the PAN encrypted or otherwise made unreadable.
7. Does one need vulnerability scanning to validate compliance?
If an organization qualifies for particular self-assessment questionnaires (SAQs) or electronically stores cardholder data post-authorization, then a quarterly scan by a PCI SSC approved scanning vendor (ASV) is required to maintain compliance.
An on-site security assessment is a requirement for large merchants with complicated IT environments. While other options are available for smaller merchants, such as pre-agreed internal assessments or self-assessment questionnaires, they do not offer the same impartiality or credibility as using an external assessor to review the system.
Additionally, you can go beyond checking your compliance at one moment in time and commit to continual assessment ensuring continuous payment card security. Using Nollysoft’s software can help with continual assessment with ease and better efficiency. Connect with us today to learn more.