PCI Frequently Asked Questions (FAQ)

The Payment Card Industry Security Standards Council (PCI SSC) is the regulating body established by the credit card brands to institute and enforce procedures which enhance the security of credit card transactions. All merchants and other organizations that transact business using credit cards are required to follow the procedures established by the PCI Council and verify the same. The overriding governing document of the Council is the PCI DSS (Data Security Standard).

Role of the PCI Security Standards Council (SSC)

The PCI Council provides tools to assist organizations in validating their compliance with the PCI Data Security Standard (PCI-DSS). It also trains and certifies professionals who aid merchants in securing their systems and becoming compliant.

The PCI Council establishes and maintains standards, but it does not enforce compliance. Enforcement is handled directly by the card brands or by merchant processors (acquiring banks and ISOs).

Specific requirements are set for organizations based on the volume of annual credit card transactions conducted. Every organization must document compliance annually and have any online payment systems scanned quarterly by an Approved Scanning Vendor (ASV).

More information on the PCI Security Standards Council and the security standard itself can be obtained from the Council’s website.

The Council offers several professional certifications for parties serving the industry.

Qualified Security Assessor (QSA)

QSAs, such as Aeris Secure, are on-site consultants that larger companies are required to use to assess their systems and procedures annually. A QSA will check policies, procedures, systems and configurations against every point of the PCI Data Security Standard to ensure that a company is compliant. It is the QSA that files the Report on Compliance (ROC) for the company. This requirement is in addition to the quarterly scan performed by the ASV. A ROC is similar to the Self-Assessment Questionnaire (SAQ) that smaller companies may use to report compliance, except a ROC is completed and validated by a third-party QSA.

Approved Scanning Vendor (ASV)

ASVs are companies certified as having systems and software compliant with PCI standards to scan your systems and report vulnerabilities and weaknesses which expose your company to a potential data breach. All those transacting business with credit cards are required to obtain this service from an ASV and have their systems scanned quarterly. Only an ASV can scan your system adequately and provide the necessary reporting required by the PCI Data Security Standard.

Payment Application Qualified Security Assessor (PA-QSA)

PA-QSAs are companies who’s employees have been qualified by the PCI Council to validate a software organization’s adherence to the Payment Application Data Security Standard (PA-DSS).

PCI Forensic Investigator (PFI)

PFIs are QSA companies recognized by the PCI Council as having personnel with the necessary background and skills to perform forensic investigation services that comply with PCI Standards.

Compliance Information

PCI Data Security Standard (PCI-DSS)

PCI Data Security Standard (PCI-DSS) is the overriding PCI document which provides a master guide for developing a security system that includes prevention, detection and response to security incidents. PCI-DSS is broken up into twelve areas. These areas cover a wide range of security issues, resulting in a solid baseline of security practices when the Standard is followed. The Standard is constantly changing. Every three years, the PCI Council issues a complete update, with minor changes and clarifications made in the in-between years as well.

Payment Application Data Security Standard (PA-DSS)

Payment Application Data Security Standard (PA-DSS) is the guide to help software vendors and other parties develop secure payment applications.

Self-Assessment Questionnaire (SAQ) and Report on compliance (ROC)

SAQ and ROC are the documents that organizations must complete annually to validate PCI compliance. SAQ is for smaller organizations and ROC is for larger firms and requires QSA validation. Your merchant processor will advise you which of the two you are required to complete.

PIN Transaction Security (PTS)

PTS is a single set of requirements to guide equipment vendors and manufacturers of personal identification number (PIN) terminals.


Call us at (214) 556-6613 or   CONTACT US