Demystifying PCI DSS Standard: myths and merchant responsibilities

If you accept credit cards, you’ll want to be familiar with PCI DSS – the Payment Card Industry Data Security Standard. It's important that you understand what this standard means.

As a merchant, you’re a target for fraud and data compromise. The PCI DSS exists to help you protect cardholders’ data.

You might have questions about the policies and procedures within the PCI DSS, including what they are and how to comply with them.

What is the PCI DSS?

The PCI DSS is a requirement for merchants, software developers and payment device manufacturers that aims to protect cardholder data and reduce credit card fraud.

What are the requirements?

There are 12 requirements that span the following six groups:

  • Build and maintain a secure network.
  • Protect cardholder data.
  • Maintain a vulnerability management program.
  • Implement strong access control measures.
  • Regularly monitor and test networks.
  • Maintain an information security policy.

What is the PCI SSC?

This refers to the PCI Security Standards Council – the organization that manages the PCI DSS.

The founding members of the council have to enforce the PCI DSS. They include American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.

How do I satisfy the PCI DSS?

According to the PCI SSC, there’s a three-step process for you to follow. These steps include:

Step 1: Assessment. Identifying cardholder data, taking an inventory of IT assets and business processes for payment card processing, and analyzing them for any vulnerabilities.

Step 2: Remediation. Fixing vulnerabilities and eliminating the storage of unprotected cardholder data.

Step 3: Reporting. Compiling and submitting required reports to the appropriate acquiring bank and card brands.

How do I know if my business is compliant?

There are a few ways to be sure your business is compliant.

The first is to engage a qualified security assessor or an approved scanning vendor to evaluate your procedures. These organizations can scan your system for any vulnerabilities.

The PCI SSC offers a list of approved vendors to help you get started.

Another option is to perform a self-evaluation to assess whether your business complies. The PCI SSC offers a self-assessment questionnaire to help you understand areas where your business is compliant, and where it might need additional support.

Do I have to validate that my business complies?

As a merchant that processes, stores or transmits cardholder data, you’ll have to comply with PCI DSS standards, but you may not have to validate whether they comply.

Each credit card brand has specific rules about what "level" of merchants need to validate compliance. These levels are based on the number of annual transactions the merchant processes.

You can find more information on validation requirements with the following card brands:

What if my business doesn’t comply?

Your business isn’t currently required by federal law to comply with the PCI DSS, however some states have laws that refer to the standard, or otherwise require merchants to protect cardholder data.

If your business doesn’t comply with the standard, it could face hefty fines from the major card brands and even be held liable if cardholder data is compromised.

If you still have questions about PCI DSS requirements, be sure to check out the council's PCI DSS Quick Reference Guide for more information.

Contact Comerica Merchant Services to learn more about PCI DSS compliance and secure payment processing at 888.591.5099.

© Comerica. For more content like this, please visit