Hi All,

Your response would be highly appreciated to clarify the following:

1. Any payment card, including debit, pre-paid master card would fall into the scoping of PCI DSS V1.1.(as long as the cardholder data, i.e. PAN is stored, processed or transmitted)

2. If compliancy is being achieved with the PCI DSS V1.1., then, no further validation needs to be obtained from any of the brand members, unless specifically asked for by the brand.

Thanks for your clarification.

TK1

1. Essentially, yes
2. Probably, but will vary based on the business services that are performed. For instance, a service provider that does PIN validation may also be asked to undertake a PIN audit (review of the PIN key handling and validation systems).

Also, the phrase "If compliancy is being achieved" sounds like you have not completed the steps to become compliant - and a Card Scheme may want some re-assurance that compliance activities are actually happening and have a realistic timeframe for completion. e.g. a time line for completing compliance remediation work in 2012 is not going the been seen as acceptable, based on feedback I've received.

1. Yes.
2. Let me separate "compliance" from the "validation" of your compliance. Validation varies a bit by merchant level, and you will need to complete a Self-Assessment Questionnaire and have (quarterly or annual) network scans. You submit these to your acquirer who certifies your compliance (for Visa and MasterCard). The bank card brands will normally only get involved in case of a breach. The key thing is to work with your acquirer. I doubt you'll ever hear from the associations.

Other thoughts... See if your acquirer offers merchant PCI training; many do. Based on your question, I'm assuming you might be a Level 4 merchant. If so, your acquirer decides if they want to actually see the SAQ and scan results (which still must be done). Again, while the standards apply to all, the validation has some variability depending on merchant level.

Just to reinforce what others have already stated:

1. Any card that carries the Visa, MasterCard, American Express, Discover, or JCB logo must be secured as per the PCI DSS requirements. If these card numbers are stored, processed, or transmitted they must be secured according to the PCI DSS.

2. Lylac was correct to also point out that you may have other compliance requirements such as PIN pad device issues so check with your point of sale (POS) vendor to make sure they meet the card association requirements. As for PCI DSS compliance, wconway is correct to point out the difference between "compliance" and "validation"/

a) Everyone that stores, processes, or transmits cardholder data must "comply" with the PCI DSS standard. This is like saying all student must do their homework.

b) Methods of validating to your acquirer that you are compliant will vary. Although all students must do their homework there are different methods to confirm this has happened. You should always ask your acquirer/processor how you need to validate based on your Level category (defined by the card associations.)

Thanks everyone for the clarification.