PCI Security Standards Council®

Leadership

Protect your business.Secure your payment data.

With a strong data security foundation you can protect your customer payment data and prevent data breaches that can put you out of business.

A strong data security foundation starts with people, process and technology.
Learn more about PCI resources and tools that can help you secure payment data.
PEOPLE
Hire qualified and trusted partners and train your staff to understand payment data security essentials.
Learn more about training and qualified security professionals
PROCESS
Put the right policies and practices in place to make payment security a priority every day.
Learn more about the PCI Data Security Standard (PCI DSS)
テクノロジ
Make sure you are using the right technology and implementing it correctly to get the best security and business benefits.
Learn more about secure technology

Threat Center

Data breaches can be prevented.Learn how to defend against threats and attacks that can put your business at risk.
MALWARE
Criminals use malicious software to infiltrate a computer system and steal payment data.Ransomware is the fastest growing malware threat.
Malware Resources
PHISHING
Phishing emails are a common delivery vehicle for malware.These emails look legitimate, such as an invoice or electronic fax, but they include malicious links and/or attachments that can infect your computer and system.
Phishing Resources
REMOTE ACCESS
Criminals can gain access to your systems that store, process, or transmit payment data through weak remote access controls.Remote access may be used by your payment terminal vendors, for example, to provide support to your terminal or to provide a software update.
Remote Access Resources
WEAK PASSWORDS
More than 80% of data breaches involve stolen/or weak passwords.
*Verizon 2017 DBIR
Password Resources
OUTDATED SOFTWARE
Criminals look for outdated software to exploit flaws in unpatched systems.
Patching Resources
SKIMMING
Criminals attach small hardware "skimming devices" to card readers which can sweep customer payment data when they use payment cards at your store.Criminals use the stolen data to create counterfeit cards and make illegal purchases.
Skimming Resources

Resources For Small Merchants

Frequently Asked Questions
What is the PCI DSS?
The PCI Data Security Standard (PCI DSS) applies to all entities that store, process, and/or transmit cardholder data.It covers technical and operational practices for system components included in or connected to environments with cardholder data.If you accept or process payment cards, PCI DSS applies to you.
Who has to comply with the PCI Standards?

Each of PCI SSC’s founding payment brand members (American Express, Discover, JCB International, MasterCard and Visa) currently have their own PCI compliance programs for the protection of their affiliated payment card account data. Entities should contact the payment brands directly for information about their compliance programs.Contact details for the payment brands can be found in How do I contact the payment card brands?

Questions regarding compliance requirements for payment card account data affiliated with other payment networks or brands should be referred to the applicable payment network or brand.

PCI SSC also encourages entities to be aware of potential nuances in local laws and regulations that could affect applicability of the PCI standards.

How does encrypted cardholder data impact PCI DSS scope?

Use of encryption in a merchant environment does not remove the need for PCI DSS in that environment. The merchant environment is still in scope for PCI DSS due to the presence of cardholder data.For example, in a card-present environment, merchants have physical access to the payment cards in order to complete a transaction and may also have paper reports or receipts with cardholder data.Similarly, in card-not-present environments, such as mail-order or telephone-order, payment card details are provided via channels that need to be evaluated and protected according to PCI DSS.

Encryption of cardholder data with strong cryptography is an acceptable method of rendering the data unreadable in order to meet PCI DSS Requirement 3.4.  However, encryption alone may not be sufficient to render the cardholder data out of scope for PCI DSS.

The following are each in scope for PCI DSS:

  • Systems performing encryption and/or decryption of cardholder data, and systems performing key management functions
  • Encrypted cardholder data that is not isolated from the encryption and decryption and key management processes
  • Encrypted cardholder data that is present on a system or media that also contains the decryption key
  • Encrypted cardholder data that is present in the same environment as the decryption key
  • Encrypted cardholder data that is accessible to an entity that also has access to the decryption key

Where a third party receives and/or stores only data encrypted by another entity, and where they do not have the ability to decrypt the data, the third party may be able to consider the encrypted data out of scope if certain conditions are met. For further guidance, refer to FAQ 1233: How does encrypted cardholder data impact PCI DSS scope for third-party service providers?

Additionally, for information about how a merchant may receive scope reduction through use of a validated P2PE solution, please see the FAQ 1158: What effect does the use of a PCI-listed P2PE solution have on a merchant’s PCI DSS validation?

What is the PCI DSS Self-Assessment Questionnaire?

The PCI DSS Self-Assessment Questionnaires (SAQs) are validation tools for merchants and service providers that are eligible to evaluate and report their PCI DSS compliance via self-assessment.There are a number of different SAQs available that are intended meet the needs of particular types of environments. 

Each SAQ contains a “Before you Begin” section, which outlines the type of environment that the SAQ is intended for.All the eligibility criteria for a particular SAQ must be met in order to use that SAQ. 

Additional guidance is also provided in the PCI DSS Self-Assessment Questionnaire Instructions and Guidelines document in the Document Library.

Merchants should also consult with their acquirer (merchant bank) or payment brand to determine if they are eligible or required to submit an SAQ, and if so, which SAQ is appropriate for their environment.

Do small merchants with limited transaction volumes need to comply with PCI DSS?

PCI DSS is intended for all entities involved in payment processing, including merchants, regardless of their size or transaction volume. When compared with larger merchants, small merchants often have simpler environments, with limited amounts of cardholder data and fewer systems that need protecting, which can help reduce their PCI DSS compliance effort.  

Whether a small merchant is required to validate compliance is determined by the individual payment brands.For questions regarding compliance validation and reporting requirements, merchants should contact their acquirer (merchant bank) or payment brand they do business with, as applicable. 

More FAQs

Useful Resources
PCI Perspectives Blog
Powered By OneLink