With a strong data security foundation you can protect your customer payment data and prevent data breaches that can put you out of business.
These resources provide simple guidance on why and how to keep customer payment data safe. Start educating your small business customers and partners on payment security basics by downloading these resources now.
Simple guidance for understanding the risk to small businesses, security basics to protect against payment data theft, and where to go for help. Available in spiral-bound format too – click here to order.
Real-life visuals to help identify what type of payment system small businesses use, the kinds of risks associated with their system, and actions they can take to protect it.
A list of the common vendors small businesses rely on and specific questions to ask them to make sure they are protecting customer payment data.
Glossary of Payment and Information Security Terms
Easy-to-understand explanations of technical terms used in payment security.
Data Security Essentials Evaluation Tool
This online tool and accompanying evaluation forms provide a preliminary evaluation of a small merchant’s security posture.
Your customers trust you with their business. Show them you take their data protection just as seriously by co-branding the PCI Data Security Essentials for Small Merchants with your company logo.
Each of PCI SSC’s founding payment brand members (American Express, Discover, JCB International, MasterCard and Visa) currently have their own PCI compliance programs for the protection of their affiliated payment card account data. Entities should contact the payment brands directly for information about their compliance programs. Contact details for the payment brands can be found in How do I contact the payment card brands?
Questions regarding compliance requirements for payment card account data affiliated with other payment networks or brands should be referred to the applicable payment network or brand.
PCI SSC also encourages entities to be aware of potential nuances in local laws and regulations that could affect applicability of the PCI standards.
Use of encryption in a merchant environment does not remove the need for PCI DSS in that environment. The merchant environment is still in scope for PCI DSS due to the presence of cardholder data. For example, in a card-present environment, merchants have physical access to the payment cards in order to complete a transaction and may also have paper reports or receipts with cardholder data. Similarly, in card-not-present environments, such as mail-order or telephone-order, payment card details are provided via channels that need to be evaluated and protected according to PCI DSS.
Encryption of cardholder data with strong cryptography is an acceptable method of rendering the data unreadable in order to meet PCI DSS Requirement 3.4. However, encryption alone may not be sufficient to render the cardholder data out of scope for PCI DSS.
The following are each in scope for PCI DSS:
Where a third party receives and/or stores only data encrypted by another entity, and where they do not have the ability to decrypt the data, the third party may be able to consider the encrypted data out of scope if certain conditions are met. For further guidance, refer to FAQ 1233: How does encrypted cardholder data impact PCI DSS scope for third-party service providers?
Additionally, for information about how a merchant may receive scope reduction through use of a validated P2PE solution, please see the FAQ 1158: What effect does the use of a PCI-listed P2PE solution have on a merchant’s PCI DSS validation?
The PCI DSS Self-Assessment Questionnaires (SAQs) are validation tools for merchants and service providers that are eligible to evaluate and report their PCI DSS compliance via self-assessment. There are a number of different SAQs available that are intended meet the needs of particular types of environments.
Each SAQ contains a “Before you Begin” section, which outlines the type of environment that the SAQ is intended for. All the eligibility criteria for a particular SAQ must be met in order to use that SAQ.
Additional guidance is also provided in the PCI DSS Self-Assessment Questionnaire Instructions and Guidelines document in the Document Library.
Merchants should also consult with their acquirer (merchant bank) or payment brand to determine if they are eligible or required to submit an SAQ, and if so, which SAQ is appropriate for their environment.
PCI DSS is intended for all entities involved in payment processing, including merchants, regardless of their size or transaction volume. When compared with larger merchants, small merchants often have simpler environments, with limited amounts of cardholder data and fewer systems that need protecting, which can help reduce their PCI DSS compliance effort.
Whether a small merchant is required to validate compliance is determined by the individual payment brands. For questions regarding compliance validation and reporting requirements, merchants should contact their acquirer (merchant bank) or payment brand they do business with, as applicable.
Our website uses both essential and non-essential cookies (further described in our Privacy Policy) to analyze use of our products and services. By clicking “ACCEPT” below, you are agreeing to our use of non-essential cookies to provide third parties with information about your usage and activities. If you click “DECLINE” below, we will continue to use essential cookies for the operation of the website.
