Get answers to common questions about PCI DSS compliance.
Who should comply?
- PCI DSS applies to all organizations that store, process or transmit cardholder data (CHD).
- All UBC Credit Card Merchants that store, process or transmit CHD as payments to the University and/or operate Point of Sale (POS) systems and devices must be in compliance with PCI DSS version 3.2.
- The security standards apply to all types of payments including card-present (face-to-face), mail, telephone, fax and card-not-present (online or ecommerce web transactions).
- PCI DSS compliance is required for any merchants that accept credit card payments - even if the quantity of transaction is just one.
PCI Responsibilities of UBC Merchants
PCI DSS v.3.2 will retire on October 31, 2016, and after this time all assessments will need to use v.3.2 (PCI SSC). You need to be PCI DSS v.3.2 compliant (starting February 1, 2018) and you need to renew your PCI compliance annually.
Each UBC merchant is responsible for ensuring and validating their own compliance at their own cost. Follow the process to validate compliance:
- Educate yourself about PCI DSS v.3.2 compliance.
- Comply with applicable vulnerability scan requirements, i.e. internal scan, external scan, penetration testing, rogue access point inspection, POS inspection.
- Comply with required technical documentations, i.e. firewall configuration, network diagram, logging.
- Comply with PCI annual and maintenance requirements, i.e. PCI review/audit, monitoring survey.
- Complete one SAQ for each process/system and have it signed by authorized signatory and/or QSA.
If you need to do quarterly scans of all externally accessible (internet facing) IP addresses, scans must be done by an Approved Scanning Vendor (ASV). Contact Raul Ramos or call 2-0259 to have your IP address scanned by an ASV company approved by the PCI Council to validate adherence to the PCI DSS scan requirements.
PCI DSS Self-assessment Questionnaire (SAQ)
- The PCI Data Security Standard Self-Assessment Questionnaire (SAQ) is a validation tool intended to assist merchants in self-evaluating their compliance with the PCI DSS.
- It is for merchants who are not required to undergo an on-site data security assessment.
- The SAQ includes a series of Yes-No-Not Applicable questions for compliance. If an answer is no, the merchant must state the future remediation date and associated actions.
There are eight (8) different SAQs you can use depending on how you process credit card transaction.
|SAQ||Description||# of questions|
|A||Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Not applicable to face-to-face channels.||22|
|A-EP||E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Applicable only to e-commerce channels.||191|
|B||Merchants using only: Imprint machines with no electronic cardholder data storage; and/or Standalone, dial-out terminals with no electronic cardholder data storage. Not applicable to e-commerce channels.||41|
|B-IP||Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. Not applicable to e-commerce channels.||86|
|C-VT||Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage. Not applicable to e-commerce channels.||83|
|C||Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. Not applicable to e-commerce channels.||60|
|D||All merchants not included in descriptions for the above SAQ types.||329|
|P2PE-HW||Merchants using only hardware payment terminals that are included in and managed via a validated, PCI SSC-listed P2PE solution, with no electronic cardholder data storage. Not applicable to e-commerce channels.|