Your most common questions about the payment security standard, answered.
By David Ellis, GCIH, QSA, PFI, CISSP
What is PCI compliance?![]()
The Payment Card Industry Data Security Standard (PCI DSS) was established in 2006 by the major card brands (Visa, MasterCard, American Express, Discover Financial Services, JCB International). 
All businesses that process, store, or transmit payment card data are required to implement the standard to prevent cardholder data theft. Your card-handling practices and processing environment determine which PCI DSS requirements apply to your business.
What is PCI validation?
The Payment Card Industry Security Standards Council mandates that all merchants comply with PCI standards. Annual validation (or proof) of that is mandated by some merchant processors and is a way of documenting your compliance. Validation requirements vary based upon annual payment card transactions and may require a self-assessment or independent onsite audit.Who is required to become PCI compliant?
All businesses that process, store or transmit payment card information are required to comply with the PCI DSS.Why haven't I heard of PCI compliance until now?
PCI compliance was first mandated in 2006. The Payment Card Industry Security Standards Council, the card brands, and your merchant processor are doing their best to make sure all merchants are aware of the standards.Is PCI compliance a federal law?
No, the government does not regulate PCI*; however, by signing the payment card contract confirming your desire to accept credit and debit cards at your business, you agreed to follow card brand rules. If you wish to safely accept Visa, MasterCard, JCB, American Express, and Discover, you must comply with PCI DSS.*Note: Some states, such as Nevada, now require PCI DSS compliance.
When is the deadline to become PCI compliant?
For most merchants the deadline for compliance has already passed. Contact your merchant processor to receive details on your merchant account. The sooner you become compliant, the less likely you are to be hacked.What happens if I don't become PCI compliant?
If you are not PCI compliant, you are more vulnerable to data compromise, and may also be fined by your merchant processor and/or the card brands for not validating PCI compliance.What if I only process a few cards a year? Do I still need to be PCI compliant?
Yes. Even if you only process one transaction per year, you must implement the PCI DSS in your processing environment.What is required to become PCI compliant?
Typical steps for merchants to become PCI DSS compliant include, but are not limited to:- Determine your validation type
- Address all requirements found in your Self-Assessment Questionnaire (SAQ) (e.g., external vulnerability scans, penetration tests, employee training, etc.)
- Attest to your compliance annually
- Complete and report quarterly results of all scans performed by an Approved Scanning Vendor (ASV)
Which SAQ am I supposed to complete?
Ultimately, you must choose the SAQ that’s right for your processing environment, but generally speaking:- SAQ A is for merchants that use a third party service provider to handle their card information
- SAQ B is for merchants that use a phone line terminal and are not connected to the Internet in any way
- SAQ CVT is for merchants that use a virtual terminal on one computer solely used for card processing
- SAQ C is for any merchant connected to the Internet
- SAQ D is for merchants that store credit card data electronically
- SAQ P2PE-HW is for merchants using approved point-to-point encryption (P2PE) devices
What is a PCI compliance certificate?
Some QSA/ASV companies provide certificates confirming that an organization is PCI DSS compliant. An actual compliance certificate is not mandatory, and you don’t necessarily need a certificate to be PCI compliant.Am I PCI compliant if my site has an SSL certificate?
Unfortunately, no. An SSL certificates is an important element in a secure website, but alone do not meet PCI DSS requirements.Do I need to be PCI compliant if I don't use a computer to process credit cards?
Yes. PCI compliance doesn't require a connection to the Internet, or even a computer system. PCI compliance is determined by the way you store, handle, or process credit card information, whether the card information is in a locked filing cabinet, or on the computer.Who enforces PCI compliance?
The Payment Card Industry Standards Security Council was formed in 2006 by the major card brands (Visa, MasterCard, American Express, Discover Financial Services, JCB International) to regulate and enforce PCI DSS compliance. Generally speaking, your merchant bank enforces PCI DSS compliance.
What is SecurityMetrics' role in PCI compliance?
SecurityMetrics assists merchants in validating compliance and implementing the Payment Card Industry Data Security Standard. SecurityMetrics is an Approved Scanning Vendor and is certified to perform PCI scans, onsite PCI audits, payment application software audits, point of sale terminal security audits, penetration tests, and forensic analysis to assess card data compromises. You may validate our PCI certifications directly at the Payment Card Industry's website.My SecurityMetrics account has just been created, what now?
You should log in to your account and begin the process of becoming PCI compliant. This means going through each section of the SAQ and ensuring compliance with all the requirements.What should I do if I think my business has been compromised?
Disconnect your system from the Internet, call your merchant processor, andcall a forensic investigator. PCI forensic investigators help you find and fix the security holes in your processing environment. They help you identify how and when attackers breached your systems, determine if card data was compromised, and document for the card brands your efforts to remediate the vulnerabilities that lead to the data breach.If you have any further questions about PCI, contact our PCI gurus.
David Ellis (GCIH, QSA, PFI, CISSP) is Director of Forensic Investigations at SecurityMetrics with over 25 years of law enforcement and investigative experience.