Frequently Asked Questions

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is the compliance standard that applies to all organizations that process, store, or transmit payment card data.

Does the PCI DSS apply to me?

Regardless of size, all organizations that process, store, or transmit payment card data must comply with the PCI DSS.

What is cardholder data?

The PCI Security Standards Council defines cardholder data as the full Primary Account Number, typically with the cardholder name, expiration date, and service code.

What is a Merchant?

A Merchant is any entity that accepts payment cards branded with the five major card brands (American Express, Discover, JCB, MasterCard or Visa) as payment for goods or services.

What is a Service Provider?

A Service Provider is any entity that stores, processes, or transmits cardholder data on behalf of another entity.

What is a payment application?

A payment application is any software that is designed to handle payment card data. Anything from a Point of Sale (POS) system to a website’s e-commerce shopping cart are payment applications.

What is a payment gateway?

A payment gateway links the merchant to the bank or processor so that online payment card transactions are automated. Payment gateways route inputs from many different applications to the appropriate bank or processor.

Which PCI compliance level does my company fall under?

Your PCI compliance level depends on your company’s annual transaction volume. For example, Visa will assign a merchant as a Level 1 if there are over 6 million Visa transactions per year. Level 2 is assigned when the number of transactions are between 1 million to 6 million. Level 3 is assigned when the number of transactions are between 20,000 to 1 million. Level 4 is any merchant processing up to 20,000 Visa e-commerce transactions annually.

Which payment cards are in scope for PCI?

All debit, credit, and pre-paid cards that are issued by any of the five major card brands are in scope for PCI. The five major card brands are: American Express, Discover, JCB, MasterCard, and Visa.

What are the consequences if my business is not PCI compliant?

Payment card brands may fine an acquiring bank up to $100,000 per month which will most likely be passed down to the merchant. It is wise for merchants to thoroughly read the merchant account agreement as financial penalties can be significant. In addition to fines, other consequences include card replacement costs, costly post-breach audits, and a tarnished reputation which could devastate a business.

My cardholder data is encrypted. How does this affect my PCI DSS scope?

Encryption does not render the environment out of scope for PCI DSS. The environment is still in scope for PCI DSS because cardholder data is present.

Does a PoS back office server have to be in a secure location to be PCI compliant?

The location of a Point of Sale back office server that is part of a cardholder environment would be considered a sensitive area and would need to be secured. Based on the type of location, this could mean putting the back office server in the manager’s office and locking the door to the office when the manager is not there.

I accept credit cards only by phone. Do I still need to comply with PCI DSS?

Yes. All organizations that process, store, or transmit payment card data must comply with the PCI DSS.

I use a third-party processor. Do I still need to comply with PCI DSS?

Yes. Using a third-party processor may reduce the scope of your PCI compliance efforts, but you are still required to comply with PCI DSS.

What is the pricing range for Penetration Testing?

Penetration testing pricing varies according to the overall scope which includes the number of IP addresses & applications to be tested. For pricing specific to your project, please reach out to us via the Contact Us Form on our website or at info@darasecurity.com.

What is social engineering?

Social engineering is a non-technical way of gaining sensitive company info or installing malware by manipulating employees into breaking company procedures. Read more about various social engineering techniques in our article here.

What is a vulnerability scan?

A vulnerability scan uses automated tools to check for vulnerabilities in a merchant’s or service provider’s systems. The scan is non-intrusive and is done remotely based on external-facing IP addresses provided by the merchant or service provider. Approved Scanning Vendors (ASVs) must conduct the scans in order to validate compliance with PCI.

What is a penetration test?

A penetration test is an intrusive attack done by a security expert on a company’s network in order to find exploitable security flaws. The test shows how deep into the network an ethical hacker can penetrate, giving the company valuable insight about the true security posture of the company. An internal penetration test is conducted from within the facility trying to gain unauthorized access, while an external penetration test is conducted outside the network trying to come in.

What is Black Box and Grey Box testing?

Black Box and Grey Box testing are types of penetration tests. Black Box testing is conducted with no network information beyond the number of Internet accessible servers. IP-address ranges will be discovered and confirmed during testing. Grey Box testing is conducted with IP-address ranges provided by the customer prior to testing.

What is the difference between a vulnerability scan and a penetration test?

A vulnerability scan is non-intrusive and uses automated tools to find vulnerabilities in a network. A penetration test is an intrusive attack done by a security expert to exploit vulnerabilities in a network.

What is the PCI DSS required frequency for vulnerability scans and penetration tests?

PCI DSS requires that vulnerability scans be done at least once a quarter and penetration testing be done at least once a year. More frequent scans or tests may be required if significant changes occur, such as infrastructure or application upgrades or new system component installations.

I received a survey from OCR. Does this mean I will be selected for a HIPAA audit?

Not necessarily. By receiving a survey, you have been included in a pool of eligible healthcare organizations or business associates that the OCR can randomly pick from to conduct HIPAA audits. It’s a great time to ensure policies and procedures are in place and to seek a security risk assessment so that you find and address any gaps that a HIPAA audit would reveal.

What is the status of PCI DSS 4.0?

The target completion date for PCI DSS v4.0 is Q4 2021. The target publication date and availability will be determined after completion of a June 2021 RFC.

How does PCI DSS apply to Voice over IP traffic?

VoIP traffic containing payment card data is considered in-scope for certain PCI DSS controls. This is similar to other IP network traffic that contains payment card data.

According to the PCI DSS, which TLS versions must be used?

The PCI DSS does not specify which TLS versions must be used. However, the standard does not consider early TLS or SSL to be strong cryptography as defined in the PCI DSS Glossary of Terms.

What are acceptable formats for truncation of primary account numbers?

Truncation (permanent removal of data so that the complete PAN is unreadable) applies to PANs that are electronically stored in files, databases, etc. The current acceptable PAN truncation format for all Payment Brands is “first 6, last 4” which allows retention of a maximum of the first 6 and the last 4 digits of the PAN. Entities seeking flexibility beyond this current acceptable format must consider specific PAN lengths acceptable to each of the Payment Brands.

What are the email addresses of the payment card brands?

American Express: AmericanExpressCompliance@trustwave.com
Discover: DISCCompliance@discover.com
JCB: riskmanagement@info.jcb.co.jp
MasterCard: sdp@mastercard.com
Visa – Canada, USA, LAC: cisp@visa.com
Visa – Europe: datasecuritystandards@visa.com
Visa – Asia Pacific: vpssais@visa.com

What date should be used for “Date of Report” in the ROC?

The “Date of Report” is the completion date of the ROC and must not be earlier than when the QSA completed collection and validation of evidence to support the findings documented in the ROC.

Can a PCI 3DS Assessment yield a “Compliant” result if not all requirements are tested?

No. All requirements must be tested and found to be “In Place” or of an equivalent status for the PCI 3DS Attestation of Compliance to yield a “Compliant” result.

What are SSL and early TLS?

SSL and early TLS are widely used encryption protocols that have been in use for over 20 years. SSL/TLS encrypts a channel between two connections to ensure data reliability and privacy of the transmission. Several vulnerabilities have been found in these protocols that may allow attackers to extract data from these connections. With no known fixes to SSL, the PCI Council issued the updated PCI DSS 3.1 and PA-DSS 3.1 that removed SSL and early TLS as examples of strong cryptography. Read more in our White Paper.

I'm a small merchant. Is my environment affected by issues with SSL/early TLS?

Yes. Regardless of size, all merchants are affected by issues with SSL/early TLS. It is essential that you remove SSL/early TLS from your cardholder data environment to protect your customer data. Work with a security expert now to plan and execute your migration to a secure alternative.

Is an EMVCo Letter of Approval required before a PCI 3DS Assessment is conducted?

No. An EMVCo Letter of Approval (LOA) is not required for a PCI 3DS Assessment to take place. However, the entity seeking the assessment must document the reason(s) that an associated LOA is absent.

Can a 3DS entity outsource HSM hosting and management to a third-party service provider?

Yes. Third-party outsourcing of the hosting and management of the HSM infrastructure is possible. The 3DS entity must coordinate with the service provider to confirm which requirements are covered by the service provider and which requirements are covered by the 3DS entity. Ultimately, the 3DS entity must ensure that all applicable requirements regarding the HSM infrastructure are met.

Is it possible to have a TR-39 Audit done?

No. The TR-39 Audit is obsolete and has been replaced by the PCI PIN Audit. The PCI PIN Audit is the result of a collaboration effort between ASC X9 (TR-39’s governing body) and the PCI Council where TR-39 was combined with the PCI PIN Security Standard.

Connect with Dara Security

Thank you for your interest in Dara Security. We look forward to helping you secure your data and achieve compliance.

© Dara Security 2024

Scroll to Top