Frequently Asked Questions
The Payment Card Industry Data Security Standard (PCI DSS) is the compliance standard that applies to all organizations that process, store, or transmit payment card data.
Regardless of size, all organizations that process, store, or transmit payment card data must comply with the PCI DSS.
The PCI Security Standards Council defines cardholder data as the full Primary Account Number, typically with the cardholder name, expiration date, and service code.
A Merchant is any entity that accepts payment cards branded with the five major card brands (American Express, Discover, JCB, MasterCard or Visa) as payment for goods or services.
A Service Provider is any entity that stores, processes, or transmits cardholder data on behalf of another entity.
A payment application is any software that is designed to handle payment card data. Anything from a Point of Sale (POS) system to a website’s e-commerce shopping cart are payment applications.
A payment gateway links the merchant to the bank or processor so that online payment card transactions are automated. Payment gateways route inputs from many different applications to the appropriate bank or processor.
Your PCI compliance level depends on your company’s annual transaction volume. For example, Visa will assign a merchant as a Level 1 if there are over 6 million Visa transactions per year. Level 2 is assigned when the number of transactions are between 1 million to 6 million. Level 3 is assigned when the number of transactions are between 20,000 to 1 million. Level 4 is any merchant processing up to 20,000 Visa e-commerce transactions annually.
All debit, credit, and pre-paid cards that are issued by any of the five major card brands are in scope for PCI. The five major card brands are: American Express, Discover, JCB, MasterCard, and Visa.
Payment card brands may fine an acquiring bank up to $100,000 per month which will most likely be passed down to the merchant. It is wise for merchants to thoroughly read the merchant account agreement as financial penalties can be significant. In addition to fines, other consequences include card replacement costs, costly post-breach audits, and a tarnished reputation which could devastate a business.
Encryption does not render the environment out of scope for PCI DSS. The environment is still in scope for PCI DSS because cardholder data is present.
The location of a Point of Sale back office server that is part of a cardholder environment would be considered a sensitive area and would need to be secured. Based on the type of location, this could mean putting the back office server in the manager’s office and locking the door to the office when the manager is not there.
Yes. All organizations that process, store, or transmit payment card data must comply with the PCI DSS.
Yes. Using a third-party processor may reduce the scope of your PCI compliance efforts, but you are still required to comply with PCI DSS.
Penetration testing pricing varies according to the overall scope which includes the number of IP addresses & applications to be tested. For pricing specific to your project, please reach out to us via the Contact Us Form on our website or at email@example.com.
Social engineering is a non-technical way of gaining sensitive company info or installing malware by manipulating employees into breaking company procedures. Read more about various social engineering techniques in our article here.
A vulnerability scan uses automated tools to check for vulnerabilities in a merchant’s or service provider’s systems. The scan is non-intrusive and is done remotely based on external-facing IP addresses provided by the merchant or service provider. Approved Scanning Vendors (ASVs) must conduct the scans in order to validate compliance with PCI.
A penetration test is an intrusive attack done by a security expert on a company’s network in order to find exploitable security flaws. The test shows how deep into the network an ethical hacker can penetrate, giving the company valuable insight about the true security posture of the company. An internal penetration test is conducted from within the facility trying to gain unauthorized access, while an external penetration test is conducted outside the network trying to come in.
Black Box and Grey Box testing are types of penetration tests. Black Box testing is conducted with no network information beyond the number of Internet accessible servers. IP-address ranges will be discovered and confirmed during testing. Grey Box testing is conducted with IP-address ranges provided by the customer prior to testing.
A vulnerability scan is non-intrusive and uses automated tools to find vulnerabilities in a network. A penetration test is an intrusive attack done by a security expert to exploit vulnerabilities in a network.
PCI DSS requires that vulnerability scans be done at least once a quarter and penetration testing be done at least once a year. More frequent scans or tests may be required if significant changes occur, such as infrastructure or application upgrades or new system component installations.
Not necessarily. By receiving a survey, you have been included in a pool of eligible healthcare organizations or business associates that the OCR can randomly pick from to conduct HIPAA audits. It’s a great time to ensure policies and procedures are in place and to seek a security risk assessment so that you find and address any gaps that a HIPAA audit would reveal.
The target completion date for PCI DSS v4.0 is Q4 2021. The target publication date and availability will be determined after completion of a June 2021 RFC.
VoIP traffic containing payment card data is considered in-scope for certain PCI DSS controls. This is similar to other IP network traffic that contains payment card data.
The PCI DSS does not specify which TLS versions must be used. However, the standard does not consider early TLS or SSL to be strong cryptography as defined in the PCI DSS Glossary of Terms.
Truncation (permanent removal of data so that the complete PAN is unreadable) applies to PANs that are electronically stored in files, databases, etc. The current acceptable PAN truncation format for all Payment Brands is “first 6, last 4” which allows retention of a maximum of the first 6 and the last 4 digits of the PAN. Entities seeking flexibility beyond this current acceptable format must consider specific PAN lengths acceptable to each of the Payment Brands.
American Express: AmericanExpressCompliance@trustwave.com
Visa – Canada, USA, LAC: firstname.lastname@example.org
Visa – Europe: email@example.com
Visa – Asia Pacific: firstname.lastname@example.org
The “Date of Report” is the completion date of the ROC and must not be earlier than when the QSA completed collection and validation of evidence to support the findings documented in the ROC.
No. All requirements must be tested and found to be “In Place” or of an equivalent status for the PCI 3DS Attestation of Compliance to yield a “Compliant” result.
SSL and early TLS are widely used encryption protocols that have been in use for over 20 years. SSL/TLS encrypts a channel between two connections to ensure data reliability and privacy of the transmission. Several vulnerabilities have been found in these protocols that may allow attackers to extract data from these connections. With no known fixes to SSL, the PCI Council issued the updated PCI DSS 3.1 and PA-DSS 3.1 that removed SSL and early TLS as examples of strong cryptography. Read more in our White Paper.
Yes. Regardless of size, all merchants are affected by issues with SSL/early TLS. It is essential that you remove SSL/early TLS from your cardholder data environment to protect your customer data. Work with a security expert now to plan and execute your migration to a secure alternative.
No. An EMVCo Letter of Approval (LOA) is not required for a PCI 3DS Assessment to take place. However, the entity seeking the assessment must document the reason(s) that an associated LOA is absent.
Yes. Third-party outsourcing of the hosting and management of the HSM infrastructure is possible. The 3DS entity must coordinate with the service provider to confirm which requirements are covered by the service provider and which requirements are covered by the 3DS entity. Ultimately, the 3DS entity must ensure that all applicable requirements regarding the HSM infrastructure are met.
No. The TR-39 Audit is obsolete and has been replaced by the PCI PIN Audit. The PCI PIN Audit is the result of a collaboration effort between ASC X9 (TR-39’s governing body) and the PCI Council where TR-39 was combined with the PCI PIN Security Standard.
Connect with Dara Security
Thank you for your interest in Dara Security. We look forward to helping you secure your data and achieve compliance.