PCI FAQ

Questions & Answers About PCI

Content

» General Questions
» Self Assessment Questionnaire (SAQ)

 

 

 

General questions

Nicht bearbeiten!

Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.

What is the PCI DSS?
The PCI Data Security Standard (PCI DSS) was defined based on existing security standards from VISA and MasterCard and are by now adopted and recognized by all well-known credit card firms as common standards. They define specific requirements in the different areas of payment card processing, which have to be met by merchants, service providers, payment application vendors, acquirer banks and processors. For more information, please refer to the website of the PCI Security Standards Council.
What are the objectives of the standard's security requirements?

The standard includes security requirements that pursue the following objectives:

  1. Establishment and operation of a protected network
  2. Protection of stored and transmitted cardholder data
  3. Establishment and operation of a vulnerability management system
  4. Implementation of effective access control policies
  5. Regular monitoring and review of the IT infrastructure
  6. Formulating and enforcing an information security policy
What are the PCI DSS requirements?

PCI DSS comprises twelve security requirements. Organizations are considered PCI-compliant if they meet the following requirements:

  1. Installation and maintenance of network security controls (NSCs) to protect cardholder data
  2. Changing the default passwords and security settings specified by manufacturers
  3. Protection of stored cardholder data
  4. Encrypted transmission of credit cardholder data on public networks
  5. Use and regular updating of anti-virus software
  6. Development and use of secure systems and applications
  7. Restricting access to cardholder data according to business information needs
  8. Assigning a unique ID for each person with computer access
  9. Restrict physical access to cardholder data
  10. Logging and monitoring all access to network resources and cardholder data
  11. Regular review of security systems and procedures
  12. Establishment of a company policy with information security guidelines for employees and contractual partners
Who is required to comply with PCI DSS?
Every company that accepts credit card payments must comply with the security requirements of the credit card organizations and therefore PCI DSS. The size of the company and the number of credit card transactions per year are irrelevant to the company's obligation to provide evidence.
Why do I have to comply with the proof of credit card security (PCI DSS)?
Your company offers credit card payments and must provide evidence of PCI DSS compliance. For this reason, your acquirer has contacted you to provide proof of compliance.
When do I store, process, or forward credit card data?
You store, process, or transmit credit card data when you receive entire credit card numbers or expiration dates from your customers on your IT systems in order to store them or forward them to third parties. The duration of the processing (short-term or long-term storage, processing, or forwarding) and the encryption of the data are irrelevant in this context. The decisive factor is the receipt of customer-specific credit card data on your IT systems. Only if you store, process, or forward truncated (abbreviated) credit card data exclusively do you not need to be certified according to the PCI Data Security Standard.
How do I provide PCI DSS proof of compliance?
This depends on how your company processes credit card data and the volume of transactions you carry out. Depending on your company's classification, evidence can be provided in the form of:

– an annual onsite audit by a Qualified Security Assessor (QSA) officially approved by the PCI Security Standards Council (QSA)

– an annual self-assessment questionnaire (SAQ).

Merchants and/or service providers are classified in accordance with the requirements of the credit card organizations. A key factor in the classification is the annual transaction volume. Detailed information can be found here: MasterCard / VISA / American Express

According to what guidelines is a merchant and/or service provider classified?
Merchants and/or service providers are classified in accordance with the requirements of the credit card organizations. A key factor in the classification is the annual transaction volume. Detailed information can be found here: MasterCard / VISA / American Express
Which credit card organizations accept certification according to the PCI Data Security Standard?
Almost all major card organizations such as VISA, MasterCard, American Express, JCB, Discover, and China Union Pay accept certification in accordance with the PCI Data Security Standard.
What does compliant mean?
Companies that meet all PCI DSS security requirements relevant to them are PCI DSS compliant.

This means that these companies are protected by the “safe harbor rule” as long as they can demonstrate that they comply with the requirements. In the event of data theft or misuse, the company can therefore expect partial or complete exemption from fines imposed by credit card organizations or the acquirer after analysis by a forensic expert.

Nicht bearbeiten!

Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.

What are the consequences of not complying with PCI DSS?
Your company may be fined by credit card organizations or the acquirer (merchant bank). Furthermore, your company is liable if your customers' credit card data is stolen or misused.
What are the advantages of implementing PCI DSS?
The PCI DSS, with its binding rules for greater IT security, is designed to put a stop to fraud. Enhanced protection measures when processing payment card data in accordance with PCI offer you the following advantages in particular:

 

  • Increased data security and protection for your customers
  • Increased customer confidence and, as a result, a possible increase in credit card use and sales
  • Greater protection against financial losses and damages due to security breaches
  • Protection of the company's image
  • Assessment of the security protection of systems for storing, processing, and/or transmitting cardholder data
  • Data minimization and avoidance lead to a reduction in business risk
  • Network structuring reduces the costs of maintaining PCI compliance
How often do I have to provide PCI DSS proof of compliance?
PCI DSS compliance must be verified at least once a year. Since PCI DSS compliance verifies the current status of credit card processing in your company, it is necessary to respond to changes in credit card acceptance or payment processing outside of the specified one-year cycle by updating your PCI DSS compliance. You are obligated to maintain PCI DSS compliance at all times.
I work together with a payment service provider which has taken over all settlement tasks for me. Do I still have to be certified according to the PCI Security Standard?

If you store credit card data on your systems or forward them via your systems, you are required to be certified. If you are not sure, please ask your acquirer or our PCI Competence Center.

How can I check whether my service provider is PCI DSS compliant?
The credit card organizations MasterCard and Visa have published a list of PCI DSS-compliant service providers on the Internet at the following links:

Alternatively, you can contact the service provider directly and ask them for their PCI certificate.

Why do I also have to include credit card payments via another acquirer in my PCI DSS compliance documentation?
Proof of credit card security is provided for your own company and applies regardless of which acquirer the credit card acceptance agreement was concluded with. Accordingly, the certificate of compliance is a document that can be presented universally as proof of credit card security for the company.
Does MasterCard or VISA provide information online regarding the topic of PCI?

Detailed information can be found here:

 

What is a "Customized Approach"?

Compared to the classic approach, in which the requirements must be implemented exactly as specified in the standard, the so-called "Customized Approach" brings more flexibility to the implementation of the requirements. For example, you can use existing processes and measures that are required by other norms or standards and have already been implemented in your company for your PCI DSS certification. To do this, you need to analyze the intent of a requirement together with your QSA and show how your individual implementation fits the intent of the requirement.

Self assessment questionnaire (SAQ)

Nicht bearbeiten!

Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.

Which SAQ is right for me?
Your acquirer or payment service provider will usually be able to provide you with the fastest information about the correct SAQs. The classification essentially depends on the products you use from these service providers to process payments.

Alternatively, you can use the following guidelines:

  • As a service provider, always select SAQ D-SP.
  • For merchants in e-commerce, SAQ A and A-EP apply.
  • For payments via POS terminal, merchants will find themselves in SAQ B, B-IP, or C.
  • MOTO transactions are covered for merchants via SAQ A or C-VT.

Each of the above SAQ types requires specific technical requirements. If you do not meet these requirements (for example, by storing credit card data yourself), SAQ D is the correct choice for you.

The PCI DSS provides a selection guide here (https://www.pcisecuritystandards.org/document_library/) in the document “SAQ Instructions and Guidelines” (especially page 18). In addition, our PCI Compliance Platform (pci.usd.de) has an SAQ selection wizard that you can use free of charge.

Do all questions of the Self-Assessment Questionnaire have to be answered?
Yes, all questions have to be answered or else the questionnaire will not be accepted. In general, the questions should be answered with YES or NO. In some exceptions, it is possible to answer a question with N/A (not applicable). In this case, a written reason absolutely must be provided. If you have problems understanding something or require further support, please contact our usd PCI Competence Center.
Nicht bearbeiten!

Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.

Which topics does the Self-Assessment Questionnaire include?
The Questionnaire addresses the 12 main requirements of the PCI Data Security Standard (PCI DSS).
Which topics does the Self-Assessment Questionnaire include?

The Questionnaire addresses the 12 main requirements of the PCI Data Security Standard (PCI DSS).

Contact

 

Please contact us with any questions or queries.

Phone: +49 6102 8631-190
Email: sales@usd.de
PGP Key
S/MIME
Contact Form

 

Kontakt usd Sales

Benedikt Krümmel
Head of Sales - Security Audits