PCI Compliance…The More Commonly Asked Questions

PCI Compliance FAQ

Given how complex PCI compliance is, our customers have a lot of questions surrounding PCI and its compliance. Not surprising given how important it is to make sure you are compliant. We thought it would be useful to list the five most common questions we get and give you the answers:

Q: What kind of businesses does PCI apply to?
A: The short answer is PCI applies to every type of business that takes credit cards. Anyone that that accepts, transmits or stores any cardholder data, regardless of size or number of transactions has to be in compliance.

Q: Does he size of the business make any difference under PCI?
A: Yes and no. Every merchant falls into one of the four merchant levels based on annual credit card transactions. Basically the bigger you are the higher the penalties. That said depending on the type of breach, your card carrier can arbitrarily move you from one level to another regardless of the number of transactions.

Q: If I only accept credit cards over the phone, or using something like a Square reader, does PCI still apply to me?
A: Yes. All business that store, process or transmit payment cardholder data must be PCI Compliant regardless of how they sell.

Q: Do organizations using third-party processors have to be PCI compliant?
A: Yes. Just because you use a third-party company doesn’t exclude you from compliance. Some processors ensure compliance for some aspects of card processing so it may cut down on your risk exposure, but they don’t and cant provide the physical security you get from a firewall. So the bottom line is you can’t ignore PCI.

Q: My business has multiple locations, is each location required to validate PCI Compliance?
A: If your business locations process under the same Tax ID, then typically you are only required to validate once annually for all locations. And, submit quarterly passing network scans by an PCI SSC Approved Scanning Vendor (ASV), if applicable.

We get a lot of other questions, but these are the ones, outside of how much does it cost, that we get over and over again. If you have other questions about PCI and want answers just call us at (214) 340-2258.