About Payment Card Industry Data Security Standard (PCI DSS)
This article provides answers to many questions customers have about the PCI DSS Payment Card Industry Data Security Standards.
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store, or transmit credit card information maintain a secure environment.
To whom does PCI DSS compliance apply?
Payment Card Industry Data Security Standard (PCI DSS) applies to ANY organization, regardless of size or number of transactions, that accepts, transmits, or stores any cardholder data. This includes organizations that only accept credit card payments through OSV's Online Giving platform.
Why is PCI DSS important?
Payment Card Industry Data Security Standard (PCI DSS) compliance is important to help to keep data secure and avoid data breaches.
Am I considered PCI compliant if I have an SSL certificate for my organization’s website?
No. The Giving portal is hosted by OSV and is completely outside of your website. An SSL certificate on your website would have no impact on PCI (Payment Card Industry) compliance pertaining to accepting credit card payments through OSV Giving.
Does PCI DSS compliance apply if we do not store credit card information?
Yes. If you accept credit or debit cards as a form of payment, then Payment Card Industry Data Security Standard (PCI DSS) applies.
If I have multiple locations, is each required to be PCI compliant?
If the organization locations process under the same tax ID, then typically the only requirement is to complete the Attestation of Compliance once annually for all locations.
Why wasn't a new expiration date generated even though I completed my PCI questionnaire before the expiration date?
If the Payment Card Industry (PCI) questionnaire is completed prior to the current validation expiring, the date of the validation updates once the current validation date is reached. It then reflects the newest date of validation.
When would I select Smartphone/Tablet on the PCI compliance questionnaire?
In addition to selecting ECOMMERCE, also select Smartphone/Tablet if using a mobile Bluetooth card reader, which works with an app on a smartphone or tablet to physically process card payments.
If I have multiple locations, is each required to be PCI compliant? If the organization locations process under the same tax ID, then typically the only requirement is complete the Attestation of Compliance once annually for all locations.
What is the processing method and how is it implemented?
In regard to the Payment Card Industry Data Security Standard (PCI DSS) compliance annual questionnaire, your processing method is Ecommerce. For the implementation of the Ecommerce/shopping cart, the entire internet presence is outsourced.
What is the Ecommerce processing method?
In the context of the Payment Card Industry Data Security Standard (PCI DSS) compliance annual questionnaire, Ecommerce refers to transactions that are conducted electronically on the internet.
What does SAQ type A mean?
Self Assessment Questionnaires (SAQ) type A is for Ecommerce (card not present) merchants that have fully outsourced all cardholder data functions. This would be the type of compliance questionnaire you would complete when there is no electronic storage, processing, or transmission of any cardholder data on the merchant’s (your organization) systems or premises.
What is a ‘third-party service provider?’
In regard to Payment Card Industry Data Security Standard (PCI DSS) compliance, a third-party service provider is an external person or company that provides a service or technology (for example, Paya Inc, which is the payment processor).
Do organizations using third-party service providers have to be PCI DSS compliant?
Yes. Using a third-party service provider does not exclude a company from Payment Card Industry Data Security Standard (PCI DSS) compliance.
What security measures are in place for online payments?
There are several measures in place to ensure online payments are secure:
- You use a unique user name and password to log in to the secure customer portal
- We retain no bank account information on our servers
- Our payment processing partner (Paya) is PCI compliant
- Any potentially sensitive information is encrypted for security
- We use industry standard SSL encryption on our site