This page contains a comprehensive
FAQ for all parties interested in exploring the
current PCI (Payment Card Industry) requirements.
It includes a section on The PCI Security Standards
Council, whose mission is to enhance payment account
data security by fostering broad adoption of the
PCI Security Standards.
Please click on the appropriate
link of interest below to take you directly to
that section of the FAQ.
The
PCI Security Standards Council
PCI
Data Security Standard
Merchant/Processor/POS
Providers
The
PCI Security Standards Council:
What
is the mission of the PCI Security Standards
Council?
How
was the PCI Data Security Standard managed in
the past? What value does the PCI Security Standards
Council bring to the table?
Who
are the founders of the PCI Security Standards
Council?
Are
there any plans to expand membership beyond
just the payment industry?
What
is the role of the Advisory Board?
Who
will be on the Advisory Board and when?
What
are the requirements to participate as a member
of the PCI Security Standards Council?
What
is the scope of the PCI Security Standards Council's
activities?
What
is the PCI Security Standards Council's organizational
structure and how is it staffed and funded?
Where
is the PCI Security Standards Council located?
In
what way will the formation of the PCI Security
Standards Council make stored account data more
secure?
Will
the PCI Security Standards Council provide information
on breaches/status of investigations/PCI DSS
compliance status?
Will
the PCI Security Standards Council enforce compliance?
PCI
Data Security Standard:
What
is the Payment Card Industry (PCI) Data Security
Standard (DSS)?
What
areas are covered by the PCI Data Security Standard?
How
frequently will the PCI Security Standards Council
update the PCI Data Security Standard?
When
will the new version of the PCI Data Security
Standard (version 1.1) become effective?
How
has the PCI Data Security Standard changed (January
2005 version to version 1.1)?
With
the standard changing, how can a merchant or
processor hope to maintain its compliance?
What
are the requirements that have to be satisfied
to be in compliance with the PCI Data Security
Standard?
Where
can I get details of these requirements?
Merchant/Processor/POS Providers
Now
that the PCI Security Standard Council has been
formed, what is the status of the existing reports
of compliance (ROCS) that I currently have on
file with the individual payment brands?
Will
business entities (merchants, processors, POS
providers) submit their reports of compliance
(ROCS) to the PCI Security Standards Council
for distribution to all the payment brands?
What
are the requirements that have to be satisfied
to be in compliance with the PCI Data Security
Standard?
Where
can I get more information about the exact requirements
needed to be PCI DSS compliant?
How
frequently will the PCI Security Standards Council
update the PCI Data Security Standard?
When
will the new version of the PCI Data Security
Standard (version 1.1) become effective?
How
has the PCI Data Security Standard changed (January
2005 version to version 1.1)?
If
I am already PCI DSS compliant based on the
January 2005 version of the PCI Data Security
Standard and have initiated the re-certification
process, what impact will version 1.1 have?
What
is the impact of the formation of the PCI Security
Standards Council on the current evaluation
and approval processes for onsite audit and
scan reports?
Will
the PCI Security Standards Council list compliant
service providers and/or merchants on its Web
site?
Will
the PCI Security Standards Council approve and
list vendors for participation in forensics
investigations?
Will
the PCI Security Standards Council be involved
in performing forensics investigations as a
result of an account data compromise event?
In
case of a suspected breach, should the PCI Security
Standards Council be contacted directly?
If
I am deemed compliant with the PCI DSS today
by MasterCard and/or Visa, will the other brands
in the PCI Security Standards Council recognize
this designation of compliance and if so, what
information must be put forth to achieve such
recognition?
If
I am currently in the process of becoming compliant
with the January 2005 version of the PCI DSS
(QSAs have already issued a ROC or ASVs have
provided scanning results and remediation efforts
are underway), what standard now applies with
the release of version 1.1 of the PCI DSS?
Will
the PCI Security Standards Council "approve"
my organization's implementation of compensating
controls in my effort to comply with the PCI
DSS?
My
organization has compliance responsibilities
for many regulatory requirements from many regulatory
agencies (SOX, GLB, FFIEC, etc.); what is the
incentive for my organization to be compliant
with the PCI DSS?
What
are the consequences to my business if I do
not comply with the PCI DSS?
How
do I determine whether my business would be
required to do a full independent assessment
or a self assessment?
Once
my business has been determined to be compliant
by a QSA, would I or the QSA need to communicate
this fact to the PCI Security Standards Council?
If
my business was deemed compliant but my system
was still breached and payment account data
compromised after the fact, what liability would
my business incur?
With
the standard changing, how can a merchant or
processor hope to maintain its compliance?
How
long does a merchant have to become compliant
with PCI DSS version 1.1?
Can
an entity be fined if it is compliant with the
original PCI DSS but not version 1.1?
Are
there any plans to make compliance easier for
small to medium sized merchants?
The PCI Security Standards Council:
What is the mission
of the PCI Security Standards Council?
The mission of the PCI Security Standards Council is to enhance
payment account security by fostering broad adoption of the PCI
Security Standard (see PCI DSS Questions and Answers below).
How was the
PCI Data Security Standard managed in the past?
What value does the PCI Security Standards Council
bring to the table?
The scope of the PCI Security Standards Council includes a range
of activities (excluding compliance) that in the past were either
managed individually by specific payment brands or were managed
informally by a group of payment brands. Going forward, these defined
activities will be managed through a formalized standards body that
will manage the ongoing evolution of PCI Security Standards. The
organization will look to solicit active participation from all
payment processing stakeholders (merchants, financial institutions,
processors).
Who are the
founders of the PCI Security Standards Council?
Founders of the PCI Security Standards Council are American Express,
Discover Financial Services, JCB, MasterCard Worldwide and Visa
International.
Are there any
plans to expand membership beyond just the payment
industry?
Ensuring the security of payments is of paramount importance to
all stakeholders, not just the payment brands. Therefore, merchants,
payment device and services vendors, processors and financial institutions
are encouraged to join the PCI Security Standards Council as Participating
Organizations. Participating organizations will be able to recommend
changes, provide input on future initiatives, nominate representatives
for election to the PCI Security Standards Council Advisory Board,
and have access to and ability to comment on drafts of potential
changes to security standards in advance, as well as influence the
direction of the organization overall.
What is the
role of the Advisory Board?
The role of the Advisory Board will be to provide strategic and
technical guidance to the PCI Security Standards Council, reflecting
different stakeholder perspectives. The Advisory Board does not
have any direct authority regarding changing standards, but its
input will be critical to the ongoing enhancement of PCI security
standards.
Who will be
on the Advisory Board and when?
The PCI Security Standards Council Board of Advisors will include
organizations from among the Council's Participating Organizations.
One third of the Advisory Board members will be appointed by the
Council's Executive Committee, which is comprised of representatives
from the founding payment brands. The remaining two thirds will
be elected to serve on the Advisory Board from within the ranks
of Participating Organizations.
What are the
requirements to participate as a member of the
PCI Security Standards Council?
Members will be required to be multinational acceptance marks with
an ongoing commitment through programs and practices to PCI Security
Standards. Other payment industry stakeholders, such as merchants,
banks, processors and POS vendors, can support the PCI Security
Standards Council as Participating Organizations; see Question &
Answer above.
What is the
scope of the PCI Security Standards Council's
activities?
- Develop and manage the PCI Data Security Standard, including
maintenance, clarification and revisions of the Standard;
- Establish and maintain industry-level approval processes for
qualified security assessors and network scanning vendors, and
routinely evaluate and approve qualified assessors and vendors;
- Publish and distribute the PCI Data Security Standard, including
errata and addenda, and all related documents associated with
QSA and ASV policies and procedures; and
- Provide an open forum where all key stakeholders can provide
input into the ongoing development of other payment security standards
and business practices.
What is the
PCI Security Standards Council's organizational
structure and how is it staffed and funded?
The PCI Security Standards Council was funded by initial contributions
by the participating payment brands and will be funded in the long
term through ongoing business operations, including QSA and ASV
approval programs. The organization consists of an Executive Committee,
a global Advisory Board to provide strategic and technical guidance,
a Management Committee to run business operations, a Technical Working
Group to evolve the PCI Data Security Standard, and a Marketing
Working Group for ongoing marketing activities. A General Manager
will oversee day-to-day operations.
Where is the
PCI Security Standards Council located?
The address for the PCI Security Standards Council is:
PCI Security Standards Council, LLC
401 Edgewater Place, Suite 600
Wakefield, MA 01880
In what way
will the formation of the PCI Security Standards
Council make stored account data more secure?
Security of payment account data is the responsibility of every
business that participates in payment processing. A single industry-level
data security standard supported by the members of the PCI Security
Standards Council eliminates competing and overlapping brand-specific
requirements, thereby simplifying compliance for businesses that
store payment account data.
Will the PCI
Security Standards Council provide information
on breaches/status of investigations/PCI DSS compliance
status?
The PCI Security Standards Council will receive feedback from participating
brands and advisory groups regarding emerging threats and forensics
trends determined from reviewing information from current and future
investigations. The PCI Security Standards Council, however, will
not be an active participant in any current or new direct investigations,
as this remains the role of the individual payment brands in conjunction
with law enforcement.
Will the PCI
Security Standards Council enforce compliance?
No, the PCI Security Standards Council will not be replacing the
individual brands' compliance programs. The individual participating
payment brands will separately determine what entities must be compliant,
including any brand-specific enforcement programs.
PCI
Data Security Standard:
What is the
Payment Card Industry (PCI) Data Security Standard
(DSS)?
The PCI Data Security Standard represents a common set of industry
tools and measurements to help ensure the safe handling of sensitive
information. Initially created by aligning Visa's Account Information
Security (AIS)/Cardholder Information Security (CISP) programs with
MasterCard's Site Data Protection (SDP) program, the standard provides
an actionable framework for developing a robust account data security
process - including preventing, detecting and reacting to security
incidents.
The updated version, version 1.1, developed by the founding members
of the PCI Security Standards Council, became effective with the
launch of the PCI Security Standards Council - see Question
& Answer below.
What areas
are covered by the PCI Data Security Standard?
The PCI DSS covers these areas:
Technical Foundation/Requirements: The standard details technical
requirements for the secure storage, processing and transmission
of cardholder data.
Testing Methodologies: The standard provides for common auditing
procedures and scanning procedures, and a common security Self-Assessment
Questionnaire will soon be released.
How frequently
will the PCI Security Standards Council update
the PCI Data Security Standard?
The PCI Security Standards Council will regularly monitor and evaluate
industry trends and emerging threats to determine future content
and timing of subsequent releases. Updates will also take into account
input and advice from Participating Organizations and the Advisory
Board. It is expected that updates will occur no more often than
once per year.
When will
the new version of the PCI Data Security Standard
(version 1.1) become effective?
Version 1.1 of the PCI Data Security Standard became effective with
the launch of the PCI Security Standards Council. Some of the more
complex individual requirements contained in the new version of
the standard have built-in lead time for implementation.
How has the
PCI Data Security Standard changed (January 2005
version to version 1.1)?
The focus of the 1.1 revision has been to address questions about
how to implement the standard. The standard has been updated to
provide clarification to certain requirements and to give flexibility
for compensating controls for complex requirements such as data
encryption. These updates are designed to acknowledge partner and
customer feedback, along with technical compliance constraints,
and foster rapid adoption, while maintaining the robustness of the
security measures in the January 2005 version. Additional requirements
have been added to address emerging threats related to application
security.
The Council has compiled a Summary of Changes describing the significant
differences between the two DSS versions; to read this document, click
here .
With the standard changing, how
can a merchant or processor hope to maintain its compliance?
The PCI Security Standards Council does not anticipate that changes
to the PCI DSS will occur any more frequently than on an annual
basis. Where necessary, new requirements may be phased in with future
effective dates to ensure that the necessary time frames for compliance
can be achieved.
What are the requirements that have
to be satisfied to be in compliance with the PCI Data Security Standard?
The PCI Data Security Standard is a multifaceted security standard
that includes requirements for security management, policies, procedures,
network architecture, software design and other critical protective
measures.
The PCI Data Security Standard is comprised of 12 general requirements
designed to:
- Build and maintain a secure network;
- Protect cardholder data;
- Ensure the maintenance of vulnerability management programs;
- Implement strong access control measures;
- Regularly monitor and test networks; and
- Ensure the maintenance of information security policies.
Where can I get details of these
requirements?
The PCI DSS version 1.1 and all supporting documentation can be
found at
here.
Merchant/Processor/POS
Providers:
Now that the
PCI Security Standard Council has been formed,
what is the status of the existing reports of
compliance (ROCS) that I currently have on file
with the individual payment brands?
ROCs that are considered current will remain in effect until such
time as renewal is required. To be considered for approval by additional
payment brands, you should submit your QSA-provided recommendation
of compliance to the individual payment brands directly. Any additional
information needed by a particular brand, including the ROC itself,
will be at the discretion of each brand based upon its existing
policies and procedures.
Will business
entities (merchants, processors, POS providers)
submit their reports of compliance (ROCS) to the
PCI Security Standards Council for distribution
to all the payment brands?
No, businesses should submit their recommendations of compliance
according to the existing payment brand-specific procedures for
their review and consideration of approval.
What are the
requirements that have to be satisfied to be in
compliance with the PCI Data Security Standard?
The PCI Data Security Standard is a multifaceted security standard
that includes requirements for security management, policies, procedures,
network architecture, software design and other critical protective
measures.
The PCI Data Security Standard is comprised of 12 general requirements
designed to:
- Build and maintain a secure network;
- Protect cardholder data;
- Ensure the maintenance of vulnerability management programs;
- Implement strong access control measures;
- Regularly monitor and test networks; and
- Ensure the maintenance of information security policies.
Where can
I get more information about the exact requirements
needed to be PCI DSS compliant?
The PCI DSS standard and all supporting documentation can be found
on https://www.pcisecuritystandards.org/.
How frequently
will the PCI Security Standards Council update
the PCI Data Security Standard?
The PCI Security Standards Council will regularly monitor and evaluate
industry trends and emerging threats to determine future content
and timing of subsequent releases. Updates will also take into account
input and advice from Participating Organizations and the Advisory
Board. It is expected that updates will occur no more often than
once per year.
When will
the new version of the PCI Data Security Standard
(version 1.1) become effective?
Version 1.1 of the PCI Data Security Standard became effective with
the launch of the PCI Security Standards Council. Some of the more
complex individual requirements contained in the new version of
the standard have built-in lead time for implementation.
How has the
PCI Data Security Standard changed (January 2005
version to version 1.1)?
The focus of the 1.1 revision has been to address questions about
how to implement the standard. The standard has been updated to
provide clarification to certain requirements and to give flexibility
for compensating controls for complex requirements such as data
encryption. These updates are designed to acknowledge partner and
customer feedback, along with technical compliance constraints,
and foster rapid adoption, while maintaining the robustness of the
security measures in the January 2005 version. Additional requirements
have been added to address emerging threats related to application
security.
The Council has compiled a Summary of Changes describing the significant
differences between the two DSS versions; to read this document,
click here.
If I am already
PCI DSS compliant based on the January 2005 version
of the PCI Data Security Standard and have initiated
the re-certification process, what impact will
version 1.1 have?
Because the focus of the 1.1 revision has been to address questions
about how to implement the PCI DSS standard and to introduce flexibility
for the use of compensating controls for complex requirements such
as data encryption, current compliance to the January 2005 version
should allow a business to be compliant with the DSS version 1.1
through 2006.
As of the launch of the PCI Security Standards Council, and until
December 31, 2006 all new certifications and newly initiated recertifications
may be based on either the January 2005 version of the PCI DSS or
DSS version 1.1. As of January 1, 2007 all new certifications and
newly initiated recertifications must be based on DSS version 1.1.
Please consult the individual payment brands regarding certifications
or recertifications based on the January 2005 version of the PCI
DSS that are not completed by the end of 2006.
What is the
impact of the formation of the PCI Security Standards
Council on the current evaluation and approval
processes for onsite audit and scan reports?
In addition to compliance with the PCI DSS, business entities that
engage QSAs or ASVs to validate their compliance must follow individual
payment brand specific policies and processes regarding review and
approval. These policies and processes are not under the oversight
of the PCI Standards Council.
Will the PCI
Security Standards Council list compliant service
providers and/or merchants on its Web site?
The PCI Security Standards Council will not list compliant service
providers or merchants on its Web site, since each individual brand
is responsible for designating its acceptance of a recommendation
of compliance from a QSA or ASV.
Will the PCI
Security Standards Council approve and list vendors
for participation in forensics investigations?
The current scope of the PCI Security Standards Council does not
include approval or identification of businesses approved for forensics
investigations. Individual payment brands will continue with their
existing processes and procedures.
Will the PCI
Security Standards Council be involved in performing
forensics investigations as a result of an account
data compromise event?
The PCI Security Standards Council will not conduct forensics investigations
either directly or through a third party in the event of an account
compromise.
In case of
a suspected breach, should the PCI Security Standards
Council be contacted directly?
No. In the event of a suspected account security breach, the business
entity should follow existing, brand-specific processes and procedures
for notifying the affected payment brand(s) and law enforcement
officials.
If I am deemed
compliant with the PCI DSS today by MasterCard
and/or Visa, will the other brands in the PCI
Security Standards Council recognize this designation
of compliance and if so, what information must
be put forth to achieve such recognition?
Individual payment brands, and not the PCI Security Standards Council,
are responsible for accepting or declining recommendations of compliance
from QSAs and ASVs. Businesses that desire compliance recognition
from other payment brands should follow the brand-specific processes
and procedures.
If I am currently
in the process of becoming compliant with the
January 2005 version of the PCI DSS (QSAs have
already issued a ROC or ASVs have provided scanning
results and remediation efforts are underway),
what standard now applies with the release of
version 1.1 of the PCI DSS?
Although the new version of the standard became effective upon the
launch of the PCI Security Standards Council, current compliance
to the January 2005 version should allow a business to be compliant
with the 1.1 version through 2006. New provisions related to application
level security have been introduced in version 1.1 that will become
required in 2008. Any new onsite audits or scans conducted by QSAs
and ASVs as of the date of launch of the PCI Security Standards
Council and version 1.1 of the PCI DSS should be based on the updated
standard and underlying requirements.
Will the PCI
Security Standards Council "approve" my organization's
implementation of compensating controls in my
effort to comply with the PCI DSS?
Each individual approved QSA will be trained by the PCI Security
Standards Council regarding the underlying requirements of the PCI
DSS and the evaluation of compensating controls for certain complex
requirements and operating environments. QSAs will themselves determine
whether a compensating control is sufficient as they determine their
recommendation of compliance to the various payment brands. Each
individual payment brand will separately determine whether to accept
the recommendation of compliance and whether a detailed review of
the report of compliance and compensating controls is warranted.
My organization
has compliance responsibilities for many regulatory
requirements from many regulatory agencies (SOX,
GLB, FFIEC, etc.); what is the incentive for my
organization to be compliant with the PCI DSS?
The PCI DSS is specifically designed to provide for the protection
of stored payment account information and to minimize risks of unauthorized
intrusion or account compromise. Organizations should seek compliance
with the PCI DSS in order to mitigate brand, reputation and financial
risks associated with the potential for payment account compromise.
Each payment brand may also have separate and distinct compliance
programs that serve as further incentives for adoption.
What are the
consequences to my business if I do not comply
with the PCI DSS?
The PCI Security Standards Council encourages all businesses that
store payment account data to comply with the PCI DSS to help lower
their brand and financial risks associated with account payment
data compromises. The PCI Security Standards Council does not manage
compliance programs and does not impose any consequences for non-compliance.
Individual payment brands, however, may have their own compliance
initiatives, including financial or operational consequences to
certain businesses that are not compliant.
How do I determine
whether my business would be required to do a
full independent assessment or a self assessment?
Merchants that store payment account data should contact the acquiring
financial institutions with whom they have merchant agreements to
determine whether they must validate compliance and the specific
requirements for compliance validation. Service providers should
contact the individual payment brands for further information.
Once my business
has been determined to be compliant by a QSA,
would I or the QSA need to communicate this fact
to the PCI Security Standards Council?
No. The PCI Security Standards Council is not a compliance organization.
Each brand maintains its own compliance programs.
If my business
was deemed compliant but my system was still breached
and payment account data compromised after the
fact, what liability would my business incur?
The PCI Security Standards Council is not responsible for levying
any financial or operational consequences on businesses that have
either been breached or are suspected of an account data compromise.
These businesses should contact the individual brands regarding
next steps, such as contacting law enforcement, or obtaining other
relevant information, including potential consequences should a
compromise have occurred.
With the standard
changing, how can a merchant or processor hope
to maintain its compliance?
The PCI Security Standards Council does not anticipate that changes
to the PCI DSS will occur any more frequently than on an annual
basis. Where necessary, new requirements may be phased in with future
effective dates to ensure that the necessary time frames for compliance
can be achieved.
How long does
a merchant have to become compliant with PCI DSS
version 1.1?
The individual payment brands have each established their own requirements
and timelines for various entities, including merchants, to become
compliant.
Can an entity
be fined if it is compliant with the original
PCI DSS but not version 1.1?
All compliance programs including but not limited to fines are managed
individually and distinctly by the payment brands.
Are there
any plans to make compliance easier for small
to medium sized merchants?
All merchants must comply with the same standard to be considered
compliant with PCI DSS version 1.1. Approaches for validation of
compliance differ based upon merchant size and are determined based
upon levels set individually by the payment brands. The PCI Security
Standards Council will support future work efforts intended to build
technical guidance and other tools into the self-assessment questionnaire.
| 
