Blog
SMB
PCI DSS Compliance FAQ: What is PCI Compliance?

PCI DSS Compliance FAQ: What is PCI Compliance?

Learn about the fundamentals of PCI DSS Compliance.

Updated
December 6, 2023
Posted
September 27, 2017
PCI
Audit
Scoping
PCI DSS Compliance FAQ: What is PCI Compliance?

Your most common questions about the payment card industry data security standard, answered.

As you might expect, we get a lot of questions about PCI DSS Compliance. Here are the answers to your most frequently asked questions!

What is payment card industry compliance or the PCI data security standard?

The Payment Card Industry Data Security Standard (PCI DSS) was established in 2006 by the major card brands (i.e., Visa, MasterCard, American Express, Discover Financial Services, JCB International).

All businesses that process, store, or transmit payment card data are required to implement the standard to prevent cardholder data theft. Your card-handling practices and processing environment determine which PCI DSS requirements apply to your business.

What is PCI validation?

The Payment Card Industry Security Standards Council mandates that all merchants comply with the PCI standard. Annual validation (or proof) is mandated by some merchant processors and is a way of documenting your compliance. Validation requirements vary based upon annual payment card transactions and may require a self-assessment or independent onsite audit.

Who is required to become PCI compliant?

All businesses that process, store, or transmit payment card information are required to comply with the PCI DSS.

Why haven't I heard of PCI compliance until now?

PCI compliance was first mandated in 2006. The Payment Card Industry Security Standards Council, the card brands, and your merchant processor are doing their best to make sure all merchants are aware of the standards.

Is PCI compliance required by law?

The government does not regulate PCI*; however, when you signed your payment card contract—and confirmed your desire to accept credit and debit cards at your business—you agreed to follow card brand rules. If you wish to safely accept Visa, MasterCard, JCB, American Express, and Discover, you must comply with PCI DSS.

*Note: Some states, including Nevada, Minnesota and Washington, have incorporated PCI DSS compliance into their state laws.

When is the deadline to become PCI compliant?

For most merchants, the deadline for compliance has already passed. Contact your merchant processor to receive details on your merchant account. The sooner you become compliant, the less likely you are to be hacked.

What happens if I don't become PCI compliant?

If you are not PCI compliant, you are more vulnerable to data compromise, and may also be fined by your merchant processor and/or the card brands for not validating PCI compliance.

I only process a few cards a year. Do I still need to be PCI compliant?

Yes. Even if you only process one transaction per year, you must implement the PCI DSS in your processing environment.

See also: 10 PCI Security Standard Myths

What is required to become PCI compliant?

Typical steps for merchants to become PCI DSS compliant include, but are not limited to:

  • Determine your PCI DSS validation type (this informs your requirements)
  • Address all requirements found in your Self-Assessment Questionnaire (SAQ) (e.g., external vulnerability scans, penetration tests, employee training, etc.)
  • Attest to your compliance annually
  • Complete and report quarterly results of all scans performed by an Approved Scanning Vendor (ASV)

See also: Is Your E-Commerce Business PCI Compliant?

What is the most current version of the PCI DSS?

The PCI SCC released PCI DSS version 4.0 in April 2022. PCI DSS 4.0 brought with it some extensive changes, including new password requirements and additional guidance about ecommerce security.

The changes in PCI DSS 4.0 are intended to introduce new requirements, changes and clarifications to help businesses navigate new and increasingly common security threats.

Which SAQ am I supposed to complete?

Ultimately, you must choose the SAQ that’s right for your processing environment, but generally speaking:

  • SAQ A is for e-commerce/mail/telephone-order (card-not-present) merchants that have fully outsourced all cardholder data functions. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
  • SAQ A-EP is for e-commerce-only merchants that use a third-party service provider to handle their card information, and who have a website that doesn’t handle card data, but could impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
  • SAQ B is for merchants that use imprint machines and/or standalone, dial-out terminals, and have no electronic cardholder data storage. Not for e-commerce.
  • SAQ B-IP Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, and that have no electronic cardholder data storage. Not for e-commerce.
  • SAQ C-VT is for merchants that use a virtual terminal on one computer dedicated solely to card processing. No electronic cardholder data storage. Not for e-commerce.
  • SAQ C is for any merchant with a payment application connected to the Internet, but with no electronic cardholder data storage.
  • SAQ P2PE is for merchants using approved point-to-point encryption (P2PE) devices, with no electronic card data storage.
  • SAQ D for Merchants is for merchants that DO store credit card data electronically.
  • SAQ D for Service Providers is for service providers deemed eligible to complete an SAQ.

Read more about PCI SAQ types.

What is a PCI compliance certificate?

Some QSA/ASV companies provide certificates confirming that an organization is PCI DSS compliant. An actual compliance certificate is not mandatory, and you don’t necessarily need a certificate to be PCI compliant.

Am I PCI compliant if my site has an SSL/TLS certificate?

Unfortunately, no. An SSL/TLS certificate is an important element in a secure website, but alone does not meet PCI DSS requirements.

Do I need to be PCI compliant if I don't use a computer to process credit cards?

Yes. PCI compliance doesn't require a connection to the Internet or even a computer system. PCI compliance is determined by the way that you store, handle, or process credit card information, whether the card information is in a locked filing cabinet or on the computer.

Who enforces PCI compliance?

Generally speaking, your merchant bank enforces PCI DSS compliance. The PCI Standards Security Council was formed in 2006 by the major card brands (i.e., Visa, MasterCard, American Express, Discover Financial Services, JCB International) to regulate, maintain, evolve and promote PCI DSS compliance.

See also: How Much Does PCI Compliance Cost?

What should I do if I think my business has been compromised?

Disconnect your system from the Internet, call your merchant processor, and call a forensic investigator. PCI forensic investigators help you find and fix the security holes in your processing environment. They help you identify how and when attackers breached your systems, determine if card data was compromised, and document for the card brands your efforts to remediate the vulnerabilities that lead to the data breach.

See also: The 6 Phases in an Incidence Response Plan

What is SecurityMetrics' role in PCI compliance?

SecurityMetrics helps businesses get PCI compliant. We help merchants validate compliance and implement the Payment Card Industry Data Security Standard. SecurityMetrics is an Approved Scanning Vendor and is certified to perform PCI scans, onsite PCI audits, payment application software audits, point-of-sale terminal security audits, penetration tests, and forensic analysis (to assess card data compromises.)

SecurityMetrics QSAs & experts hold certifications like:

  • Certified Information Systems Security Professional (CISSP)
  • Certified Information Systems Auditor (CISA)
  • PCI Forensic Investigator (PFI)
  • Approved Scanning Vendor (ASV)
  • Qualified Security Assessor (QSA)
  • Payment Application Qualified Security Assessor (PA-QSA)
  • Point-to-Point Encryption Qualified Security Assessor (P2PE QSA)
  • HealthCare Information Security and Privacy Practitioner (HCISPP)

My SecurityMetrics account has just been created, what now?

You should log in to your account and begin the process of becoming PCI compliant. Start by going through each section of the SAQ.

If you have more questions about PCI Compliance or anything related to data security, contact one of our experts.

Join Thousands of Security Professionals.

Subscribe Now

Get the Guide To PCI Compliance

Download

Get Started on PCI

Get Started
Stay up to date
Subscribe to our blog.
Subscribe Now
Data Security
Vulnerability ScanningPenetration TestingSecurity TrainingPANscan®SecurityMetrics VisionSecurityMetrics MobileCIS Controls AssessmentConsultingResellerForensic/Incident ResponseData and Network SecurityData Security AcademyWebpage Integrity Monitoring (WIM)Shopping Cart Inspect (PCI Req. 11.6.1)Shopping Cart Monitor (PCI Req. 11.6.1)SecurityMetrics Pulse
Compliance
GDPR CompliancePCI CompliancePCI DSS AuditPCI Level 4 ProgramPA-DSS/SSF AuditP2PE AuditPIN Security AssessmentPCI PoliciesPCI TrainingHIPAA ComplianceHIPAA PoliciesHIPAA TrainingHealth Network ProgramHITRUST
Company Info
About UsBlogGlossaryMedia RelationsCareersTerms of UsePrivacyAbuseDo Not Sell My Information
Contact
Contact UsReport a Vulnerability
SecurityMetrics podcast logoLinkedIn logoFacebook logo
© 2025 SecurityMetrics, Inc. All rights reserved.
Privacy PolicyTerms and Conditions
Your IP Address is:
YouTube logoSecurityMetrics podcast logoLinkedIn logoFacebook logo
Subscribe to our blog
Subscribe Now
© 2025 SecurityMetrics, Inc. All rights reserved.
Privacy Policy
|
Terms and Conditions
|
Your IP Address is:
000.000.000.000