PCI Compliance FAQs

Is your business PCI Compliant? If not, you might be at a higher risk for security breaches and/or subject to fines.

What is PCI DSS Compliance?

The Payment Card Industry Data Security Standard (PCI DSS) encompasses a set of requirements established to ensure that all businesses that process, store, or transmit credit card information maintain a secure transaction environment.

Why is PCI DSS Compliance important?

PCI DSS compliance protects both the business and its customers. Businesses that are not PCI DSS compliant are at greater risk for security breaches and are subject to heavy penalties.

Which credit cards are covered by PCI DSS Compliance?

Credit cards covered include any debit, credit, or prepaid cards branded with the association or brand logos of the five major payment card brands: Visa, MasterCard, American Express, Discover, and JCB International.

What are the PCI Compliance Levels?

Businesses are assigned to a level based on their combined transaction volume, including credit, debit, and prepaid cards over a 12-month period.

The four levels (from fewest to most transactions) and their requirements are:

• Level 4: Small businesses that process less than 20,000 eCommerce transactions and less than 1 million other transactions annually. Level 4 businesses must complete an annual risk assessment using the appropriate PCI Self-Assessment Questionnaire (SAQ). Quarterly PCI scans, administered by an approved scanning vendor, may also be required.
  
  
• Level 3: Mid-sized businesses — those with between 20,000 and 1 million transactions annually fall into this level. Level 3 businesses must complete an annual risk assessment using the appropriate PCI Self-Assessment Questionnaire (SAQ). Quarterly PCI scans may also be required.
  
  
• Level 2: Level 2 businesses conduct between 1 million and 6 million transactions yearly. Level 2 businesses must complete an annual risk assessment using the appropriate PCI Self-Assessment Questionnaire (SAQ). Quarterly PCI scans may also be required.
  
  
• Level 1: “Big box” stores and major corporations are Level 1 companies, which are defined as having a minimum of 6 million transactions per year. In addition to an annual internal audit conducted by a qualified PCI auditor, Level 1 companies may also be required to undergo quarterly PCI scans.

What is PCI Self-Assessment Questionnaire (SAQ)?

The PCI Self-Assessment Questionnaire is a validation tool intended to assist businesses in self-evaluating their PCI DSS compliance.

How often does a business need to complete the SAQ?

All businesses must complete an annual SAQ. PCI email notifications come from support@pciapply.com,  and should include "PCI Compliance" or "Scan Reminder" in the subject line. The email will provide a link to the compliance website.

What is a PCI Scan?

A quarterly test of system components, processes, and custom software to ensure security controls.

Is multi-factor authentication required to access cardholder data?

Yes, MFA is now explicitly required for all access into the cardholder data environment, not only administrative access.

How will a business know if it needs to complete a quarterly PCI scan?

Enhanced requirements for vulnerability scans and change management now include more frequent or granular documentation, monitoring, and, in some cases, automated real-time detection and alerting. PCI email notifications will come from support@pciapply.com, and should have "PCI Compliance" or "Scan Reminder" in the subject. The email will provide a link to the scan dashboard.

💬 If you have any questions regarding PCI compliance or your compliance status, contact the compliance support team at 833.507.7928 or support@pciapply.com.

Visit pciapply.com/compliance101 to log in to the PCI system.