PCI Merchant Accounts
Sign Up Now!

PCI Compliance Quiz

How much do you know about the Payment Card Industry Data Security Standard (PCI DSS) and what you, as a merchant, must do to become compliant? Take our PCI Compliance Quiz and find out.

What is the Payment Card Industry Data Security Standard (PCI DSS)?

  1. A standard set by the FBI to ensure the security of credit card transactions.
  2. A standard set by Visa to ensure the security of credit card transactions.
  3. A set of guidelines established by all major credit card companies to protect consumers, merchants and service providers from fraud and other security threats stemming from credit card transactions.

The correct answer is C): The PCI DSS is a set of guidelines established by all the major credit card companies in 2004 to protect consumers, merchants and service providers from fraud, hacking and other security threats stemming from credit card transactions. Although the PCI DSS sets guidelines, in effect they are rules—because credit card companies enforce them, as well as some of their own, specific requirements. Merchants can face fines up to $500,000 per incident if they don’t comply, or even loss of privileges to accept credit cards.

How many requirements does the PCI DSS specify?

  1. 100
  2. 12
  3. 10

The correct answer is B): The PCI DSS specifies 12 requirements for compliance, organized under six categories:

Category 1: Build and Maintain a Secure Network
    Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
    Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
Category 2: Protect Cardholder Data
    Requirement 3: Protect stored cardholder data.
    Requirement 4: Encrypt transmission of cardholder across open, public networks.
Category 3: Maintain a Vulnerability Management Program
    Requirement 5: Use and regularly update anti-virus software
    Requirement 6: Develop and maintain secure systems and applications.
Category 4: Implement Strong Access Control Measures
    Requirement 7: Restrict access to cardholder data by business need-to-know.
    Requirement 8: Assign a unique ID to each person with computer access.
    Requirement 9: Restrict physical access to cardholder data.
Category 5: Regularly Monitor and Test Networks
    Requirement 10: Track and monitor all access to network resources and cardholder data.
    Requirement 11: Regularly test security systems and processes.
Category 6: Maintain an Information Security Policy
    Requirement 12: Maintain a policy that addresses information security.

Are e-commerce merchants required to comply with the PCI DSS?

  1. Yes, all e-commerce merchants must comply with the PCI DSS.
  2. Some are and some are not; it depends on their volume of business.A standard set by Visa to ensure the security of credit card transactions.
  3. No, e-commerce merchants need not comply with the PCI DSS—only retail (storefront) merchants must do so.

The correct answer is A): Yes, all e-commerce merchants must comply with the PCI DSS; in fact, all merchants and service providers accepting credit cards—whether they do business online, via a website (e-commerce), at a storefront, or through wireless terminals—must comply with the PCI DSS. Steps for compliance vary among the three, but the rules apply to all. PCIMerchant is equipped to help you become PCI compliant wherever and however you do business, but note that we specialize in helping e-commerce merchants meet the PCI DSS requirements.

What are the three key steps to becoming PCI compliant?

  1. Assess, Remediate and Report
  2. Take Inventory, Fix Problems, Tell the PCI Security Standards Council
  3. Stop, Look and Listen

The correct answer is A): The 12 requirements in the PCI DSS boil down to three key concepts, and these are also the steps to become compliant: Assess, Remediate and Report.

“Assess” involves taking inventory of your IT assets and processes for payment card processing and analyzing them for vulnerabilities that could expose cardholder data. “Remediate” is the process of fixing vulnerabilities. “Report” includes compiling records required by the PCI DSS to validate that remediation worked and submitting compliance reports to the issuing bank and card payment brands you accept.

There’s a lot more involved, of course, but you don’t have to do it all yourself. Let PCIMerchant help—we’re the experts on PCI compliance.

NOTE: B) means the same thing as Assess, Remediate and Report, so give yourself credit if you chose that answer

Once I’m certified compliant, is that the end of things?

  1. Yes
  2. No
  3. It Depends on Transaction Volume

Not surprisingly, the answer to that question is B): No, it’s not the end of things. After you’re certified compliant, you must repeat the “Assess, Remediate and Report” steps continuously to maintain compliance. You also must stay vigilant because technology keeps changing and the bad guys keep coming up with new ideas for breaching credit card security. You have to stay ahead of them.