|
PCI DSS Frequently Asked Questions (FAQs)
1. What is the definition of "merchant" in regards to the PCI DSS?
For the purposes of the PCI DSS, a Merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Note that a Merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers. For example, an ISP is a Merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers.
2. I was told Level 4 Merchants do not have any PCI DSS requirements. Is that true?
No. Nothing could be further from the truth. A standard is a standard for a reason - it applies uniformly.
If you accept MasterCard, you must comply with the MasterCard Site Data Prevention (SDP) program. If you accept Visa, you must comply with the Visa Cardholder Information Security Program (CISP).
Both the MasterCard SDP and the Visa CISP require all their merchants, including those in the Level 4 category, to be compliant with the PCI DSS. Both programs also require the annual Self-Assessment Questionnaire (SAQ) to provide documentation of compliance.
3.What resources are available for me to find out more about the PCI and the PCI DSS?
The PCI DSS represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information. The standard provides an actionable framework for developing a robust data security process - including preventing, detecting and reacting to security incidents. The updated version, version 1.1, became effective with the launch of the PCI Security Standards Council. Detailed information can be found on the PCI Security Standards Council website (https://www.pcisecuritystandards.org).
4. Will Visa or MasterCard (or any other member of the PCI) really try to enforce the PCI DSS on small businesses?
Yes. The members of the PCI Security Standards Council are no longer willing to accept the financial losses inherent to the bad security of its merchants. The PCI is forcing all Merchants to become PCI DSS compliant or they will be held liable for losses, regardless of the size of the Merchant.
Under the PCI DSS, a business or organization must be able to assure their customers that its credit card data/account information and transaction information is safe from hackers or any malicious system intrusion. The PCI Security Standards Council is not a policing organization. It neither enforces the PCI DSS, nor determines the appropriate remediation for violations of the PCI DSS.
Enforcement is left the specific credit card companies and acquirers. PCI DSS does not replace the individual credit card company's compliance programs. Each credit card company separately determines who must be compliant, including any brand-specific enforcement programs. It is Visa, MasterCard, American Express, Discover, and JCB, along with issuing banks, that will seek legal remedy against merchants for failing to meet the PCI DSS, along with their own standards. They will impose fines and lawsuits to recoup losses from fraudulent charges and from having to reissue member cards.
5. What if I don't know how to implement the Written Information Security Program (WISP) once I purchase it?
The actual process involves several steps, which will most likely require your IT provider's assistance:
- Purchase the WISP
- Publish the WISP for all employees - share it on a shared folder or print out a copy.
- Ensure every user signs off on the "User Acknowledgement Form" and file that form in the user's personnel file.
- Work with your current IT provider to implement all policies, procedures, standards, and guidelines as documented in the WISP.
- Conduct an annual PCI Self-Assessment Questionnaire (SAQ) (https://www.pcisecuritystandards.org) and ensure your organization has met all 12 requirements of the PCI DSS.
6. I have an "acceptable use" policy already for my employees. Does that cover the PCI DSS requirements for a Written Information Security Program (WISP)?
No. The PCI DSS is a very thorough set of requirements. An "acceptable use" policy might keep users from using workplace computers to surf pornographic websites, but is has no effect on other critical aspects of Information Security. An Written Information Security Program (WISP) covers over 35 unique Information Security topics, which, when combined, create a comprehensive set of policies, procedures, standard, and guidelines to allow an organization to become PCI DSS compliant.
|
