PCI Security Standards Council®

Leadership

Protect your business. Secure your payment data.

With a strong data security foundation you can protect your customer payment data and prevent data breaches that can put you out of business.

A strong data security foundation starts with people, process and technology.
Learn more about PCI resources and tools that can help you secure payment data.
PEOPLE
Hire qualified and trusted partners and train your staff to understand payment data security essentials.
Learn more about training and qualified security professionals
PROCESS
Put the right policies and practices in place to make payment security a priority every day.
Learn more about the PCI Data Security Standard (PCI DSS)
TECHNOLOGY
Make sure you are using the right technology and implementing it correctly to get the best security and business benefits.
Learn more about secure technology

Threat Center

Data breaches can be prevented. Learn how to defend against threats and attacks that can put your business at risk.
MALWARE
Criminals use malicious software to infiltrate a computer system and steal payment data. Ransomware is the fastest growing malware threat.
Malware Resources
PHISHING
Phishing emails are a common delivery vehicle for malware. These emails look legitimate, such as an invoice or electronic fax, but they include malicious links and/or attachments that can infect your computer and system.
Phishing Resources
REMOTE ACCESS
Criminals can gain access to your systems that store, process, or transmit payment data through weak remote access controls. Remote access may be used by your payment terminal vendors, for example, to provide support to your terminal or to provide a software update.
Remote Access Resources
WEAK PASSWORDS
More than 80% of data breaches involve stolen/or weak passwords.
*Verizon 2017 DBIR
Password Resources
OUTDATED SOFTWARE
Criminals look for outdated software to exploit flaws in unpatched systems.
Patching Resources
SKIMMING
Criminals attach small hardware "skimming devices" to card readers which can sweep customer payment data when they use payment cards at your store. Criminals use the stolen data to create counterfeit cards and make illegal purchases.
Skimming Resources

Resources For Small Merchants

Data Security Essentials Resources


These resources provide simple guidance on why and how to keep customer payment data safe. Start educating your small business customers and partners on payment security basics by downloading these resources now.

Guide to Safe Payments

Simple guidance for understanding the risk to small businesses, security basics to protect against payment data theft, and where to go for help. Available in spiral-bound format too – click here to order.


Common Payment Systems

Real-life visuals to help identify what type of payment system small businesses use, the kinds of risks associated with their system, and actions they can take to protect it.



Questions to Ask your Vendors

A list of the common vendors small businesses rely on and specific questions to ask them to make sure they are protecting customer payment data.



Glossary of Payment and Information Security Terms

Easy-to-understand explanations of technical terms used in payment security.




Data Security Essentials Evaluation Tool

This online tool and accompanying evaluation forms provide a preliminary evaluation of a small merchant’s security posture.



PCI Firewall Basics

A one-page infographic on firewall configuration basics.




Videos and Infographics
Payment Data Security Essential: Strong Passwords
The use of weak and default passwords is one of the leading causes of payment data breaches for businesses. Watch this quick animated video to learn how businesses can minimize their chances of being breached by changing vendor default passwords to strong ones, and never sharing passwords.
Payment Data Security Essential: Secure Remote Access
Insecure remote access is one of the leading causes of payment data breaches for businesses. Watch this quick animated video to learn how businesses can minimize their chances of being breached by only allowing remote access when necessary and using multi-factor authentication.
Payment Data Security Essential: Patching
Unpatched software is one of the leading causes of payment data breaches for businesses. Watch this quick animated video to learn how businesses can minimize their chances of being breached by installing software patches quickly.
Co-Brand


Your customers trust you with their business. Show them you take their data protection just as seriously by co-branding the PCI Data Security Essentials for Small Merchants with your company logo.

  • Order 20+ generic spiraI bound books
  • Order 1,000+ customized spiral bound books, co-branded with your company logo
  • Customize, co-brand the digital version with your company logo
For more information on co- branding or bulk orders, click here.
RECOMMENDED TRAINING
  • Entry level option:  PCI Awareness training is available online 24/7/365.  Learn about the 12 PCI Requirements at your own pace to improve your security posture and reduce risk to cardholder data.
  • More advanced option:  PCI Professional (PCIP) training is a self-paced eLearning course for those with a minimum of two years IT experience.  This course delivers you tools to help build a secure payment environment and help your organization achieve PCI compliance. Earn a three-year renewable credential and get listed on the PCI website.
  • Additional educational resources: Check out PCI SSC payment security educational resources for infographics, videos, webinars and other useful tools for learning how to protect payment data.
Frequently Asked Questions
What is the PCI DSS?
The PCI Data Security Standard (PCI DSS) applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational practices for system components included in or connected to environments with cardholder data. If you accept or process payment cards, PCI DSS applies to you.
Who has to comply with the PCI Standards?

Each of PCI SSC’s founding payment brand members (American Express, Discover, JCB International, MasterCard and Visa) currently have their own PCI compliance programs for the protection of their affiliated payment card account data.  Entities should contact the payment brands directly for information about their compliance programs. Contact details for the payment brands can be found in How do I contact the payment card brands?

Questions regarding compliance requirements for payment card account data affiliated with other payment networks or brands should be referred to the applicable payment network or brand.

PCI SSC also encourages entities to be aware of potential nuances in local laws and regulations that could affect applicability of the PCI standards.

How does encrypted cardholder data impact PCI DSS scope?

Use of encryption in a merchant environment does not remove the need for PCI DSS in that environment.  The merchant environment is still in scope for PCI DSS due to the presence of cardholder data. For example, in a card-present environment, merchants have physical access to the payment cards in order to complete a transaction and may also have paper reports or receipts with cardholder data. Similarly, in card-not-present environments, such as mail-order or telephone-order, payment card details are provided via channels that need to be evaluated and protected according to PCI DSS.

Encryption of cardholder data with strong cryptography is an acceptable method of rendering the data unreadable in order to meet PCI DSS Requirement 3.4.  However, encryption alone may not be sufficient to render the cardholder data out of scope for PCI DSS.

The following are each in scope for PCI DSS:

  • Systems performing encryption and/or decryption of cardholder data, and systems performing key management functions
  • Encrypted cardholder data that is not isolated from the encryption and decryption and key management processes
  • Encrypted cardholder data that is present on a system or media that also contains the decryption key
  • Encrypted cardholder data that is present in the same environment as the decryption key
  • Encrypted cardholder data that is accessible to an entity that also has access to the decryption key

Where a third party receives and/or stores only data encrypted by another entity, and where they do not have the ability to decrypt the data, the third party may be able to consider the encrypted data out of scope if certain conditions are met.  For further guidance, refer to FAQ 1233: How does encrypted cardholder data impact PCI DSS scope for third-party service providers?

Additionally, for information about how a merchant may receive scope reduction through use of a validated P2PE solution, please see the FAQ 1158: What effect does the use of a PCI-listed P2PE solution have on a merchant’s PCI DSS validation?

What is the PCI DSS Self-Assessment Questionnaire?

The PCI DSS Self-Assessment Questionnaires (SAQs) are validation tools for merchants and service providers that are eligible to evaluate and report their PCI DSS compliance via self-assessment. There are a number of different SAQs available that are intended meet the needs of particular types of environments. 

Each SAQ contains a “Before you Begin” section, which outlines the type of environment that the SAQ is intended for. All the eligibility criteria for a particular SAQ must be met in order to use that SAQ. 

Additional guidance is also provided in the PCI DSS Self-Assessment Questionnaire Instructions and Guidelines document in the Document Library.

Merchants should also consult with their acquirer (merchant bank) or payment brand to determine if they are eligible or required to submit an SAQ, and if so, which SAQ is appropriate for their environment.

Do small merchants with limited transaction volumes need to comply with PCI DSS?

PCI DSS is intended for all entities involved in payment processing, including merchants, regardless of their size or transaction volume.  When compared with larger merchants, small merchants often have simpler environments, with limited amounts of cardholder data and fewer systems that need protecting, which can help reduce their PCI DSS compliance effort.  

Whether a small merchant is required to validate compliance is determined by the individual payment brands. For questions regarding compliance validation and reporting requirements, merchants should contact their acquirer (merchant bank) or payment brand they do business with, as applicable. 

More FAQs

Useful Resources
PCI Perspectives Blog

Our website uses both essential and non-essential cookies (further described in our Privacy Policy) to analyze use of our products and services. By clicking “ACCEPT” below, you are agreeing to our use of non-essential cookies to provide third parties with information about your usage and activities. If you click “DECLINE” below, we will continue to use essential cookies for the operation of the website.