Merchant Resources

Merchant Resources

With a strong data security foundation you can protect your customer payment data and prevent data breaches that can put you out of business. A strong data security foundation starts with people, process and technology. Learn more about PCI resources and tools that can help you secure payment data.

Hire qualified and trusted partners and train your staff to understand payment data security essentials.

Put the right policies and practices in place to make payment security a priority every day.

Make sure you are using the right technology and implementing it correctly to get the best security and business benefits.

Threat Center

Criminals use malicious software to infiltrate a computer system and steal payment data. Ransomware is the fastest growing malware threat.

Phishing emails are a common delivery
vehicle for malware. These emails look
legitimate, such as an invoice or electronic
fax, but they include malicious links and/or attachments that can infect your computer and system.

Criminals can gain access to your systems
that store, process, or transmit payment
data through weak remote access controls. Remote access may be used by your payment terminal vendors, for example, to provide support to your terminal or to provide a software update.

More than 80% of data breaches involve
stolen/or weak passwords.
*Verizon 2017 DBIR

Criminals look for outdated software to
exploit flaws in unpatched systems.

Criminals attach small hardware "skimming devices" to card readers which can sweep customer payment data when they use payment cards at your store. Criminals use the stolen data to create counterfeit cards and make illegal purchases.

Data Security Essentials Resources

These resources provide simple guidance on why and how to keep customer payment data safe. Start educating your small business customers and partners on payment security basics by downloading these resources now

Guide to Safe Payments

Simple guidance for understanding the risk to small businesses, security basics to protect against payment data theft, and where to go for help. Available in spiralbound format too – click here to order.

ASV Resource Guide

This new resource guide is intended for anyone with questions about ASV scans

Common Payment Systems

Real-life visuals to help identify what type of payment system small businesses use, the kinds of risks associated with their system, and actions they can take to protect it.

Questions to Ask Your Vendors

Questions to Ask your Vendors

A list of the common vendors small businesses rely on and specific questions to ask them to make sure they are protecting customer payment data.

Glossary of Payment and Information Security Terms

Glossary of Payment and Information Security Terms

Easy-to-understand explanations of technical terms used in payment security

Data Security Essentials Evaluation Tool

Data Security Essentials Evaluation Tool

This online tool and accompanying evaluation forms provide a preliminary evaluation of a small merchant’s security posture.

PCI Firewall Basics

PCI Firewall Basics

A one-page infographic on firewall configuration basics.

Videos and Infographics

Payment Data Security Essential: Strong Passwords

The use of weak and default passwords is one of the leading causes of payment data breaches for businesses. Watch this quick animated video to learn how businesses can minimize their chances of being breached by changing vendor default passwords to strong ones, and never sharing passwords.

Payment Data Security Essential: Secure Remote Access

Insecure remote access is one of the leading causes of payment data breaches for businesses. Watch this quick animated video to learn how businesses can minimizetheir chances of being breached by only allowing remote access when necessary and using multi-factor authentication.

Payment Data Security Essential: Patching

Unpatched software is one of the leading causes of payment data breaches for businesses. Watch this quick animated video to learn how businesses can minimize their chances of being breached by installing software patches quickly.

Payment Data Security Essential: Strong Passwords

The use of weak and default passwords is one of the leading causes of payment data breaches for businesses. Watch this quick animated video to learn how businesses can minimize their chances of being breached by changing vendor default passwords to strong ones, and never sharing passwords.

Payment Data Security Essential: Secure Remote Access

Insecure remote access is one of the leading causes of payment data breaches for businesses. Watch this quick animated video to learn how businesses can minimizetheir chances of being breached by only allowing remote access when necessary and using multi-factor authentication.

Payment Data Security Essential: Patching

Unpatched software is one of the leading causes of payment data breaches for businesses. Watch this quick animated video to learn how businesses can minimize their chances of being breached by installing software patches quickly.

Co-Brand

Your customers trust you with their business. Show them you take their data protection just as seriously by co-branding the PCI Data Security Essentials for Small Merchants with your company logo.

  • Order 20+ generic spiraI bound books
  • Order 1,000+ customized spiral bound books, cobranded with your company logo
  • Customize, co-brand the digital version with your company logo

For more information on co- branding or bulk orders, click here

Recommended Training

  • Entry level option: PCI Awareness training is available online 24/7/365. Learn about the 12 PCI Requirements at your own pace to improve your security posture and reduce risk to cardholder data.
  • More advanced option: PCI Professional (PCIP) training is a
    self-paced eLearning course for those with a minimum of two years IT experience. This course delivers you tools to help build a secure payment environment and help your rganization achieve PCI compliance. Earn a three-year renewable credential and get listed on the PCI website.
  • Additional educational resources: Check out PCI SSC
    payment security educational resources for infographics, videos, webinars and other useful tools for learning how to protect payment data.

Frequently Asked Questions

PCI DSS is a set of baseline technical and operational requirements designed to protect payment account data. It is intended for all entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD), or could impact the security of CHD and/or SAD. This includes all entities involved in payment account processing.

Each of PCI SSC’s founding payment brand members (American Express, Discover, JCB International, MasterCard and Visa) currently have their own PCI compliance programs for the protection of their affiliated payment card account data.  Entities should contact the payment brands directly for information about their compliance programs. Contact details for the payment brands can be found in How do I contact the payment card brands?

Questions regarding compliance requirements for payment card account data affiliated with other payment networks or brands should be referred to the applicable payment network or brand.

PCI SSC also encourages entities to be aware of potential nuances in local laws and regulations that could affect applicability of the PCI standards.

Encryption of cardholder data with strong cryptography is an acceptable method of rendering the data unreadable according to PCI DSS Requirement 3.5.1. However, encryption alone is generally insufficient to render the cardholder data out of scope for PCI DSS and does not remove the need for PCI DSS in that environment. The entity’s environment is still in scope for PCI DSS due to the presence of cardholder data. For example, for a merchant card-present environment, there is physical access to the payment cards to complete a transaction and there may also be paper reports or receipts with cardholder data. Similarly, in merchant card-not-present environments, such as mail-order/telephone-order and e-commerce, payment card details are provided via channels that need to be evaluated and protected according to PCI DSS.

The following are each in scope for PCI DSS:

  • Systems performing encryption and/or decryption of cardholder data, and systems performing key management functions,
  • Encrypted cardholder data that is not isolated from the encryption and decryption and key, management processes,
  • Encrypted cardholder data that is present on a system or media that also contains the decryption key,
  • Encrypted cardholder data that is present in the same environment as the decryption key,
  • Encrypted cardholder data that is accessible to an entity that also has access to the decryption key.

Note: A PCI-listed P2PE solution can significantly reduce the number of PCI DSS requirements applicable to a merchant’s cardholder data environment. However, it does not completely remove the applicability of PCI DSS in the merchant environment.

Where a third party only receives and/or stores data encrypted by another entity, and where they do not have the ability to decrypt the data, the third party may be able to consider the encrypted data out of scope if certain conditions are met. For further guidance, refer to FAQ 1233: How does encrypted cardholder data impact PCI DSS scope for third-party service providers?

Additionally, for information about how a merchant may receive scope reduction through use of a validated P2PE solution, refer to FAQ 1158: What effect does the use of a PCI-listed P2PE solution have on a merchant’s PCI DSS validation?

 

PCI DSS Self-Assessment Questionnaires (SAQs) are validation tools for use by SAQ-eligible merchants and service providers to perform and report the results of their PCI DSS self-assessments. There are several different SAQs, developed for specific types of environments as defined in each SAQ’s eligibility criteria.

Refer to the following FAQs:

FAQ 1215: What is a PCI DSS Self-Assessment Questionnaire?

FAQ 1133: Why are there multiple PCI DSS Self-Assessment Questionnaires (SAQs)?

PCI DSS is intended for all entities involved in payment processing, including merchants, regardless of their size or transaction volume.  When compared with larger merchants, small merchants often have simpler environments, with limited amounts of cardholder data and fewer systems that need protecting, which can help reduce their PCI DSS compliance effort.  

Whether a small merchant is required to validate compliance is determined by the individual payment brands. For questions regarding compliance validation and reporting requirements, merchants should contact their acquirer (merchant bank) or payment brand they do business with, as applicable.