Payment Card Industry Data Security Standard (PCI DSS) Certification – FAQ

1. Is the Data Security Standard same for all entities dealing with cardholder data?

PCI Security Standards Council addresses 2 types of entities that deal with cardholder data, Merchant and service provider in the Data security standard. There are certain requirements in the PCI DSS which has to be met only by Service provider.

Further, The council has created Self attestation questionnaires (SAQs) for all those merchants and service providers whose risk profile is not significant and can go for these SAQs as requested by acquiring banks or payment brands.

Currently there are 8 PCI FAQs which are created for various types of mechants.

For detailed explanation on FAQs, read our blog on “ What is the Right SAQ for You?”

2. Do business entities that have 3rd Party payment processors, require to be PCI DSS compliant?
Yes, all the business entities accepting cards (as a payment option) or dealing with card numbers otherwise have to be PCI DSS compliant. However, it must be noted that the number of applicable requirements and efforts might reduce to validate compliance.
3. What does it mean to be PCI DSS compliant?
To be PCI DSS compliant, your organisation needs to meet the 12 requirements and 300 sub requirements outlined in the PCI DSS standard. To acknowledge that your organisation has met the 12 requirements, you need to touch base with a Qualified Security Assessor (QSA) who can examine your environment and can validate your compliance.
4. What is a PCI certificate?

A Qualified Security Assessor (QSA) will perform an audit of your operating environment and will evaluate It against the 12 requirements and 300 sub requirements mentioned in the PCI DSS standard.

On successful evaluation, the QSA will award your organisation a PCI- DSS Compliance Certificate. The Certificate will be your badge of honor recognizing the efforts taken towards prioritizing security.

5. What Does It Take to Become PCI Compliant?

Like we said, becoming PCI compliant requires meeting the 12 requirements and 300 sub requirements mentioned in the PCI DSS standard.

Reach out to our QSA team to perform a quick reconnaissance of your environment and to charter out a compliance plan.

6. Do we need a QSA for PCI Certification?

A Qualified Security Assessor is one who has been qualified by the PCI Security Standards Council (PCI SSC) to conduct PCI assessments. A QSA needs to meet a stringent set of requirements outlined by the PCI SSC in addition to taking up regular examinations.

Therefore, it’s very critical that you invest your time with a QSA who are recognized by the PCI SSC. Barring which, the certificate will not be recognized by the PCI SSC as well as the industry. The list of certified QSA companies can be found here

7. Is PCI certification a one-time exercise?

No. It’s a yearly affair. The PCI certification is an ongoing compliance process. You will need to engage with a QSA to renew your certification on an annual basis.

Having said that, getting the environment set up correctly and appropriate delegation of tasks as per roles and responsibilities in the first round is the key to setting the stage for easier and effective ongoing compliance.

8. What if I am not Compliant?

Not being PCI Compliant and accepting payments from payment cards of American Express, Discover, JCB, MasterCard or Visa is a VIOLATION and will incur fines.

Being PCI non-compliant + being breached would mean that you are looking at penalties ranging between $5,000 and $500,000.

Besides the fines, you are also looking at

  • Cost of data breach + customer damages
  • Not being able to accept card payments in the future
  • Losing your merchant account status
  • Getting featured in the Terminated Merchant File (TMF) managed by Visa and MasterCard

Loss of reputation and customer trust goes without saying.

9. Who is a Merchant and Service Provider?

To quote from the PCI DSS Standard,

“a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services.”

And a Service Provider is

“Business entity that is not a payment brand but is directly involved in the processing, storage, or transmission of cardholder data. This also includes companies that provide services that control or could impact the security of cardholder data.”

Now can a Merchant also be a Service Provider? Absolutely, if the merchant is providing services to other entities.

10. What is a ROC and AOC?

A ROC is a Report On Compliance which needs to be filled out by a PCI QSA on completion of the audit.

An AOC is an Attestation of Compliance which is a form used by merchants and service providers to attest the results of the PCI DSS audit.

Out of these AOC needs to be submitted to Acquiring banks, Payment Brands , Regulatory bodies or to customers to demonstrate PCI DSS Compliance.

11. Are external network scans integral to any PCI DSS certification?

Yes, infact scans can only be performed by PCI SSC Approved Scanning Vendor (ASV). PCI DSS Standard mandates for Quarterly External Scanning of all the publically accessible devices/servers for Level 1, 2 and 3 merchants and all sevice providers.

Yes, Crossbow Labs also provides PCI ASV scans and we have a solid Engineering team that can support you with meeting the PCI DSS requirements.


Pop up

We use cookies and other tracking technologies to improve your browsing experience on our website, to show you personalized content and targeted ads, to analyze our website traffic, and to understand where our visitors are coming from. While using our website, we may ask you to provide us with certain personally identifiable information, that can be used to contact you about our service offerings. By browsing our website, you consent to our privacy and cookies policy.