PCI DSS FAQ

 What you need to know about PCI DSS if your business …

  • accepts credit cards as a form of payment
  • builds software for the processing of credit cards
  • allows customers to swipe credit cards
  • accepts payments online
  • processes payments on behalf of others or are involved in the processing of credit cards

What is the Payment Card Industry (PCI) Data Security Standard (DSS)?

PCI Data Security Standard represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information. Initially created by aligning VISA's® Account Information Security (AIS)/Cardholder Information Security (CISP) programs with MasterCard's® Site Data Protection (SDP) program, the standard provides an actionable framework for developing a robust account data security process—including preventing, detecting and reacting to security incidents.

What are the deadlines for PCI DSS compliance?

Compliance is mandated by the payment card brands and not by the PCI Security Standards Council. However, most merchants’ deadlines for validating compliance already passed. Check with your acquirer and/or merchant bank to check if any specific deadlines apply to you, based on merchant transaction volume (level) as determined by the card payment brands. All entities that transmit, process or store payment card data must be compliant with PCI DSS.

What are the penalties for non-compliance?

Visa and the other payment brands reserve the right to fine acquiring banks for the noncompliance of their merchants.

Acquiring banks reserve the right to fine merchants for non‐compliance.

Fines are not set, but the following have been observed:

  • $10,000 per month for 12 months
  • $25,000 for the 13th month
  • $50,000 for the 14th month
  • $25,000 per each month following

In the case of a breach, if the vendor is found to be out of compliance, damages can also be imposed to the vendor.

What is the definition of “merchant”?

PCI DSS defines a merchant as any entity that accepts payment cards bearing the logos of any of the five members of PCI Security Standards Council (American Express®, Discover®, JCB®, MasterCard® or Visa®) as payment for goods and/or services.

A merchant that accepts payment cards as payment for goods and/or services also can be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers.

I’m a small merchant with limited payment card transaction volume. Do I need to be compliant with PCI DSS?

Merchants of all sizes need to be PCI DSS compliant. The payment brands have collectively adopted PCI DSS as the requirement for organizations that process, store or transmit payment cardholder data.

Does PCI DSS apply to debit cards, debit payments and debit systems?

Any payment card (credit, debit, prepaid, stored value, gift or chip) bearing the logo of one of the PCI Security Standards Council’s five founding payment brands is required to be protected as prescribed by the PCI DSS.

Does PCI DSS apply to merchants who use payment gateways to process transactions on their behalf, and thus never store, process or transmit cardholder data?

Yes, if a primary account number (PAN) is stored, processed or transmitted. No, if PAN is not stored, processed or transmitted.

However, under PCI DSS, if the merchant shares cardholder data with a third-party processor or service provider, the merchant must ensure that third-party processor/service provider is obligated contractually to adhere to the PCI DSS, assuming responsibility for the security of the cardholder data it possesses. In lieu of a direct agreement, the merchant must obtain evidence of the third‐party processor/service provider's compliance with PCI DSS via other means, such as a letter of attestation.