PCI Compliance Common Questions and Answers

What is PCI DSS compliance? Which companies must comply with PCI DSS rules?

The Payment Card Industry Data Security Standard (PCI DSS) was created to increase controls around cardholder data to reduce credit card fraud. PCI DSS controls apply to all entities that store, process, or transmit cardholder data and cover both technical and operational system components. Any organization that accepts or processes payment cards must comply with the PCI DSS. Failure to meet the PCI DSS requirements may result in sizable fines or termination of credit card processing privileges.

Back to Top

Who administers the PCI DSS?

The Payment Card Industry Security Standards Council administers the PCI DSS. The council's founding members (American Express, Discover Financial Services, JCB International, MasterCard, and Visa) incorporate the PCI DSS as part of the technical requirements for each of their data security compliance programs.

The council maintains, evolves, and promotes the security standards. It also provides tools for implementing the standards such as assessment and scanning qualifications, self-assessment questionnaires, training and education, and product certification programs.

Back to Top

What is covered by the requirements for PCI DSS compliance?

PCI DSS compliance controls consist of six goals and 12 requirements.

GoalsRequirements
Build and maintain a secure network.1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect cardholder data.3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
Maintain a vulnerability management program.5. Protect all systems against malware and regularly update antivirus software or programs.
6. Develop and maintain secure systems and applications.
Implement strong access control measures.7. Restrict access to cardholder data by business need to know.
8. Identify and authenticate access to system components.
9. Restrict physical access to cardholder data.
Regularly monitor and test networks.10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
Maintain an information security policy.12. Maintain a policy that addresses information security for all personnel.

Back to Top

Is the PCI DSS the same for all sizes of business?

All businesses that accept and process payment cards must comply with PCI DSS controls. PCI DSS controls are broken into four levels based on the quantity of cards a merchant processes, with PCI Compliance Level 1 being the most stringent.

PCI Compliance Level 1

  • Merchants that process more than 6 million Visa or Mastercard transactions per year, including in-store, online, or a mixture of both
  • Any merchant that Visa determines should be a Level 1 merchant to minimize risks to the Visa system

PCI Compliance Level 2

  • Merchants that process 1 million to 6 million Visa transactions per year (regardless of the processing channel, e.g., in-store, online, etc.)

PCI Compliance Level 3

  • Any merchant that processes 20,000 to 1 million Visa e-commerce transactions per year

PCI Compliance Level 4

  • Any merchant that processes fewer than 20,000 Visa e-commerce transactions per year
  • Any merchant that processes up to 1 million Visa transactions per year (regardless of the processing channel, e.g., in-store, online, etc.)

Back to Top

Who decides if an organization is in compliance with the PCI DSS?

An external Qualified Security Assessor(QSA) company, an Internal Security Assessor (ISA) company, or a Self-Assessment Questionnaire (SAQ) validate compliance annually for companies handling smaller volumes. For Level 1 merchants undergoing an audit by a QSA, the 190-page PCI DSS Report on Compliance includes detailed questions on the business and its hosting environment, storage, and processes to monitor and test the organization’s system.

Back to Top

Can an organization work with a third party to assist with PCI DSS compliance?

An organization seeking PCI DSS compliance can integrate with a third party agent such as Very Good Security (VGS), which has been audited by an independent QSA company and is certified as a PCI Compliance Level 1 service provider as well as a Visa service provider.

Back to Top

How long does PCI DSS compliance take?

For organizations anticipating a high-volume of transactions, reaching Level 1 compliance can take six to 12 months or longer, on top of recurring annual maintenance and audits. The process usually involves dedicating full-time resources to build and maintain a secure network, protect data, maintain a vulnerability management program, implement strong access control, monitor and test networks, and enforce an information security policy. Integrating with a third party such as Very Good Security can cut that time significantly. PCI Compliance Level 2 can be reached immediately upon integration with Very Good Security, and PCI Compliance Level 1 certification can come within three weeks.

Back to Top

Once a business receives PCI DSS compliance, does it need to be reviewed again?

PCI DSS compliance requires annual review, as well as regular checks of systems, updates for personnel, and updates for antivirus programs.

Back to Top


Any Questions?

We're happy to get in touch. Search our documentation, contact support, or connect with our sales team. You can also chat live with VGS engineers in our Slack channel.