Payment Card Industry Data Security Standards FAQ

Here are the answers to some of the questions we hear most often about PCI Data Security Standards.

  1. Who is required to meet the PCI Data Security Standard?
  2. What are the PCI Data Security Standards?
  3. Who controls the PCI standards now?
  4. What do I need to do to meet the PCI standards?
  5. What does the McAfee® PCI Compliance service include?
  6. What are the new improvements in the McAfee® PCI Certification Service?
  7. What is the PCI Self-Assessment Questionnaire (SAQ) Wizard?
  8. What is the new PCI Dashboard for acquiring banks and payment processors?
  9. Who is McAfee?
  10. If McAfee is going to prepare my company's Visa PCI Compliance Report, why isn't McAfee on the PCI SSC Qualified Security Assessor List?
  11. What if the scan result shows that my site has vulnerabilities?
  12. Does McAfee provide customer support as part of its PCI certification?
  13. How do I sign up?
  14. What if I have already paid for compliance from another PCI security company?
  15. Where can I get more information about meeting the PCI standards?
  16. Where can I find references about the PCI requirements?

1. Who is required to meet the PCI Data Security Standard?
All entities that accept credit or debit card payment, collect, process or store credit card transaction information, regardless of their transaction volume, need to meet the PCI standard. Failure to comply with the PCI security standard may result in substantial fines or permanent expulsion from card acceptance programs.

Acquiring Banks (merchant banks) also need to have received certified proof of PCI compliance from merchants. Acquiring Banks are required to have documented proof of compliance form these merchants, or be liable to fines themselves. Many banks are requiring all merchants, regardless of transaction volume, to produce this Certification of PCI Compliance.


2. What are the PCI Data Security Standards?
The Payment Card Industry (PCI) data security standards are network security and business practice guidelines initially developed by Visa, MasterCard, American Express and Discover Card. They were developed to establish a 'minimum security standard' with regards to the protection of cardholders' account and transaction information.


3. Who controls the PCI standards now?
The standards are now managed and published by the PCI Security Standards Council (SSC) as a uniform standard with a single point of contact. PCI SSC also manages the certification process for Approved Scanning Vendors (ASV) who must scan and assess your network security.


4. What do I need to do to meet the PCI standards?
The PCI standard comprises two basic steps:

  • Pass quarterly remote vulnerability scans conducted by a PCI Approved Scan Vendor (ASV) such as McAfee. Scans are required for all Internet connection points whether they are office networks or home/office connections (dial-up, DSL, cable or wireless) or permanent Internet servers such as your web site and email server, etc.

  • Complete a security Self-Assessment Questionnaire (SAQ). The self assessment questionnaire asks specific questions about your internal security practices, both on your web site and in your office. There are several version of the SAQ depending on the details of your particular business. McAfee provides an online wizard tool to help you properly identify which version you should use.

5. What does the McAfee® PCI Compliance service include?
The comprehensive and easy-to-use McAfee PCI Compliance service includes:

  • Access to the McAfee web-based Vulnerability Management Portal
  • Scheduled quarterly automated vulnerability scans
  • Unlimited on-demand manual scans to re-test systems whenever needed
  • Detailed instructions to patch vulnerabilities found during scans
  • Comprehensive PCI Self Assessment Questionnaire (SAQ) wizard
  • Online tutorials to help understand and prepare the SAQ

6. What are the new improvements in the McAfee® PCI Certification Service?
McAfee has improved the McAfee® PCI Certification Service to include a new comprehensive PCI SAQ wizard and the new PCI Dashboard for acquiring banks and payment processors. These new features are available to existing and new customers on paid plans as of November 2011.


7. What is the PCI Self-Assessment Questionnaire (SAQ) Wizard?
The PCI SAQ wizard is designed for level 2, 3, and 4 merchants to help them to confidently and successfully navigate all the steps necessary to complete the certification. The PCI SAQ wizard helps merchants understand each question. It automatically answers questions to save time for merchants based on their IT environment, remediates issues with expert advice, and generates the completed paperwork needed to submit to their acquiring bank.

The previous McAfee PCI Certification Service included a simple SAQ selection tool that allowed merchants to find the right version of the SAQ. The merchants would then need to fill out the questionnaire themselves.


8. What is the new PCI Dashboard for acquiring banks and payment processors?
The new PCI Dashboard for acquiring banks and payment processors provides a consolidated view of customer PCI SAQ audit status and reporting to major credit companies including Visa, MasterCard, and American Express for multiple merchants.

Previously, the McAfee PCI Dashboard provided compliance reporting for individual merchants only.


9. Who is McAfee?
McAfee is the world’s largest dedicated security technology company. McAfee offers ecommerce security auditing services, protecting and certifying websites around the world through its McAfee SECURE service for websites. McAfee is certified by PCI SSC to provide PCI compliance services.

As a PCI SSC certified Approved Scan Vendor, credit card companies and banks worldwide accept McAfee's Certification of PCI Compliance. And for companies that want or need specialized services from a PCI certified QSA (Qualified Security Assesor) company, McAfee Foundstone® services can provide help with in-depth analysis or remediation.


10. If McAfee is going to prepare my company's Visa PCI Compliance Report, why isn't McAfee on the PCI SSC Qualified Security Assessor List?
Most merchants do not require the services of a Qualified Security Assessor (QSA), or Visa CISP Assessor. Most merchants can be certified compliant by completing a self-assessment and successfully completing network scans conducted by an Approved Scan Vendor such as McAfee. For companies that want or need the specialized services of a QSA, McAfee provides PCI certified QSA compliance through its Foundstone services.

For merchants transacting more than 6 million credit card purchases per year, and all levels of payment processors, McAfee will provide a quote for an on-site CISP Level 1 Compliance Assessment utilizing its Foundstone Consulting services.


11. What if the scan result shows that my site has vulnerabilities?
Instructions for correcting or patching any vulnerabilities are available within your Vulnerability Management Portal. This information can be easily made available directly to your web host or IT staff using your PCI Certification account. Online technical support is also available.


12. Does McAfee provide customer support as part of its PCI certification?
Customer support is available through the McAfee online portal where you will find a variety of resources, including best practices information, FAQs and online support request forms to help you understand how to pass the security scans as well as complete the self-assessment questionnaire. McAfee trained support personnel can also help you understand vulnerabilities if any are found on your system.


13. How do I sign up?
Please call 877-302-9965 x 4 or click here to request information on the McAfee PCI Certification service.


14. What if I have already paid for compliance from another PCI security company?
If you are already using another PCI security scanning service, you can easily switch to McAfee and save hundreds or thousands of dollars.


15. Where can I get more information about meeting the PCI standards?
More information, including complete step-by-step instructions for meeting the PCI requirements are available within your McAfee account under the PCI tab.


16. Where can I find references about the PCI requirements?
PCI Security Standards Council http://www.pcissc.org PCI SSC sets the PCI DSS standard, but each card brand has its own program for compliance, validation levels and enforcement. More information about compliance can be found at these links:

American Express:
www.americanexpress.com/datasecurity

Discover Financial Services:
www.discovernetwork.com/fraudsecurity/disc.html

MasterCard Worldwide:
www.mastercard.com/sdp

Visa Inc:
www.visa.com/cisp

Visa Europe:
www.visaeurope.com/ais